Rendering Blockchain Operations Resistant to Advanced Persistent Threats (APTs)

ABSTRACT

A permissioned blockchain, using off-chain storage, provides advantages over blockchains that rely on consensus and/or store information within the blockchain. Advantages include enhanced viability, compactness, and the ability to register material with distribution limitations (e.g., military classified). Examples create an immutable public record of data signatures that confirm when data is intact, without distributing the data itself, so that widespread availability of the blockchain (beyond those privileged to see the data) advantageously increases the size of the community that is able to detect spoofing or forgery attempts. A permissioning entity limits submissions to manage blockchain growth, foreclosing problematic material that may risk long-term viability. Examples render blockchain operations resistant to advanced persistent threats (APTs), leverage digital signatures as additional trust elements for high-risk data, link records to track pedigree and enable identification of superseded (obsolete) data, and leverage out-of-band date proof to enable independent verification of integrity and no-later-than data-of-existence.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional PatentApplication No. 63/070,363, filed Aug. 26, 2020, entitled “Multi-StageIntegrity Verification Using a Blockchain”, the entirety of which ishereby incorporated by reference herein; and also claims the benefit ofU.S. Provisional Patent Application No. 63/311,943, filed Nov. 15, 2020,entitled “Blockchain With Multi-Tier Chaining”, the entirety of which ishereby incorporated by reference herein.

GOVERNMENT RIGHTS

This invention was made with government support under contract47QFLA19D0015 awarded by the General Services Administration. Thegovernment has certain rights in the invention.

BACKGROUND

A blockchain (a.k.a. block chain) provides a trust element that may beleveraged to improve trust in digital content, such as distributedledgers and even stand-alone digital files. There are multiple differingaspects of blockchain design that are relevant here. Some includewhether chain growth is controlled by community consensus or instead iscentrally managed and controlled by a permissioning entity; and whetherthe blockchain itself stores the data (e.g., a distributed ledger ordistributed database) or instead uses off-chain storage and theblockchain stores only hash values (message digests) of registered data(digital content). Another relevant aspect is whether the blockchainprovides only ordinal date proof (i.e., the order in which records arereceived, or blocks are added to the chain, but not a provable calendardate) or instead provides an out-of-band date proof that may be used toindependently establish a no-later-than date-of-existence for a block,which then establishes a no-later-than date-of-existence for each recordwithin that block, which then establishes a no-later-thandate-of-existence for digital content covered by one of the recordswithin that block.

A permissioned blockchain, using off-chain storage, provides advantagesover blockchains that rely on consensus and/or store information withinthe blockchain. Advantages include enhanced viability, compactness, andthe ability to register material with distribution limitations (e.g.,military classified). Examples create an immutable public record of datasignatures that confirm when data is intact, without distributing thedata itself, so that widespread availability of the blockchain (beyondthose privileged to see the data) advantageously increases the size ofthe community that is able to detect spoofing or forgery attempts. Apermissioning entity limits submissions to manage blockchain growth,foreclosing problematic material that may risk long-term viability.Examples render blockchain operations resistant to advanced persistentthreats (APTs), leverage digital signatures as additional trust elementsfor high-risk data, link records to track pedigree and enableidentification of obsolete (e.g., superseded) data, and leverageout-of-band date proof to enable independent verification of integrityand no-later-than data-of-existence.

In general, consensus blockchains that include distributed ledgers aresuperior for cryptocurrencies, because the absence of a central managerrenders such blockchains somewhat immune to external influence and thedistributed ledger makes the relevant information (i.e., the spendinghistory of a token) easily available to the people who need to trust theledger (e.g., the people who will be accepting tokens for value). Thishighlights a significant issue: a distributed ledger is not a trustelement because it contains the ledger information (i.e., the spendinghistory of a token, so that double-spending attempts may be detected).Rather, the trust in a blockchain arises from its widespreaddistribution outside the control of any single party, such that(hopefully), any attempt to alter any content within the blockchain andattempt to represent the altered content as accurate will be detected byothers with a high degree of certainty. This trust mechanism, however,can also be accomplished by off-chain storage blockchains where hashvalues are stored on the chain that act as digital fingerprints ofdigital content stored off of the blockchain, although additional stepsare required: retrieving the digital content, hashing it, and comparingthe result with the contents of the blockchain.

However, in general, permissioned, off-chain storage blockchains aresuperior trust elements for digital data that may not be suitable foruncontrolled, widespread distribution (e.g., military-relatedinformation, financial records, legal documents, trade secretinformation, and personal information). The use of a permissioningentity is not a problem for many types of information, for exampleinformation produced by regulated industries or industries operated bypublicly-held corporations (e.g., financial, legal, manufacturing,infrastructure, defense), because the prospect of governmentinterference is not as much of a potential concern as it may be for comecryptocurrency users. Also, beyond challenges to long-term viabilityintroduced by consensus (as described below), distributed ledgers anddistributed databases have multiple additional disadvantages relative tooff-chain storage. Every copy of a distributed ledger (or database, usedsynonymously, here) is a potential leak point for any sensitive ordistribution-imitated information.

For information that has a distribution limitation (e.g., ITAR, militaryclassified information, subject to NDA), any surplus copies presentsecurity risks. Any storage solution for such information that uses adistributed ledger has an unnecessary, designed-in security risk. Allcopies of a distributed ledger must be stored according to thedistribution limitation of the most tightly-controlled information,resulting in either a plurality of different blockchains, or if only asingle blockchain is used, it is accessible to only the smallerpopulation having the highest security clearance (thereby reducingutility). Blockchains that use off-chain storage, however, mayinter-mingle records for digital content having differing distributionlimitations, because the records do not contain the actual digitalcontent that is subject to the distribution limitations. Thus, the trustelement may be widely-distributed, maximizing trust, using a commonblockchain for multiple levels of distribution limitations, while thedigital content itself may be stored securely, and segregated as neededusing access controls that enforce the particular distributionlimitations.

Storage is considerably easier and less expensive for off-chain storageblockchains, because the records will typically be smaller than thedigital content that is represented by a record. Thus, multiple peoplecan download and store copies of the blockchain, and only retrieve thesmaller amount of digital content that they need, and only when they doneed it. Although distributed ledgers do provide a backup functionality,once some sensible number of backup copies exist (which may betraditional backups and not require a blockchain), further copiesprovide diminishing returns for the alleged backup utility.Additionally, the blockchain itself may have looser distributionlimitations, precluding the need for more expensive storage that iscleared for the most tightly-controlled digital content.

Unfortunately, trust in blockchains is often misplaced or may be greaterthan is warranted. For example, blockchains that use mining andcommunity consensus to grow the chains, and motivate miners withvaluable tokens as rewards, face multiple threats that may undercuttrust at some point in the future. That is, token mining as a mechanismfor ensuring participation in a blockchain community introduces aninevitable sunset (end date) on the viability of a blockchain.Blockchains that use a permissioning entity to control the content andgrowth of the chain do not require consensus or mining, although theyface a different set of risks to the trust that they provide.

In the absence of a permissioning entity regulating which records areadmitted into a blockchain, and controlling the growth of the chain, tworisks become apparent that may threaten the viability of such adistributed blockchain. One is that problematic material may enter theblockchain, such as obscene material, material that violates someone'sprivacy, material that violates a copyright, and/or material that isotherwise illegal to publicly disclose. Even if material is notapparently problematic upon entry into the blockchain, a subsequentdevelopment may render the material problematic to retain. For example,under the European General Data Protection Regulation (GDPR), a right toerasure (Article 17) permits a person to demand that certain informationbe deleted from certain data sets, in certain circumstances, and such ademand then becomes legally enforceable with penalties specified in theGDPR for non-compliance. If that person's information appears within ablockchain, deletion may not be possible without destroying theintegrity of the chain. Additionally, with no gate-keeper on contentinsertion, obscene material may be put into a blockchain, as has alreadyoccurred with Bitcoin. Although currently this does not present a legalliability for people possessing copies of an affected blockchain, thereis no guarantee that, decades from now, the presence of illegal materialwithin decentralized blockchains (i.e., blockchains lacking apermissioning entity) will not be used by some governments to tryeliminating cryptocurrencies as competition for their nationalcurrencies. If this occurs, then the “protection” of documents and filesby affected blockchains may deteriorate.

Consensus is used in decentralized blockchains as a means of selectingwhich blocks will be added to a blockchain, in the absence of apermissioning entity that makes such decisions. Mining was introduced inBitcoin (and some other blockchains) as a way to ensure a relativelylarge community of miners, who double as independent verificationentities for the integrity of a blockchain and provide the consensus.Unfortunately, the economic reality of inherent efficiencies of scaleprovides an incentive for large miming farms to supplant small-scaleindependent miners. Initially, small-scale miners (e.g., individuals)may likely be drawn from a pool of “early adopters,” although after thevalue of mining is established, larger numbers of people may becomeinvolved, including institutional investors and even some governmentsthat are able to support large-scale operations. Large-scale operations,that intelligently allocate the mining search space among nodes within afarm or coordinate across multiple farms controlled by friendlyentities, are likely to achieve a higher return on investment (ROI) thansmall-scale miners may be able to achieve. This is because ROI isproportional to the expected count of earned tokens, divided by the costof mining operations. Spreading fixed costs over a larger number ofunits (e.g., mining nodes) typically reduces per-unit cost, even as theexpected count of earned tokens grows approximately linearly with thenumber of units. The result is that the small-scale miners, who provedthe technology by early adoption, are then eventually displaced by asmaller number of large-scale mining operations.

The original Bitcoin paper by Satoshi Nakamoto foresaw a large number of“honest nodes” (miners) keeping the Bitcoin blockchain trustworthy.(Note that the term “blockchain” originated later, and not in theoriginal Bitcoin paper. Note also that the framework for a permissioned,off-chain storage blockchain preceded the original Bitcoin paper, usingthe term “edition chain,” and is described in U.S. Pat. No. 7,904,450,filed April 2008.) The inevitable tendency of mining efforts toconsolidate into a shrinking number of increasingly large mining farms,controlled by entities (such as the Chinese, North Korean, and Russiangovern/113,943nts) with potentially hostile motives toward an economythat had accumulated significant cryptocurrency wealth may not have beenforeseen by Nakamoto. However, at some point, independent, small-scaleminers may come to view mining as too expensive and, as they abandonmining operations, the growth of some blockchains may then be largelycontrolled by entities that are hostile to the interests of the USA.When this happens, the scenario of an attacker placing forged entriesinto the blockchain becomes feasible, because the attacker and/or theattacker's allies may control a significant portion (even if less thanhalf) of the total mining capacity.

Although the use of quantum computing for token mining would beconsidered to be a significant waste of resources, due to the relativevalue of tokens in view of the cost of obtaining quantum computingcapability, if controlling the growth of a decentralized blockchainprovides other value, rational attackers may attempt to wrest controlfrom “honest nodes,” if even for only a short period of time. Consider apossibility in which a country's government relies upon a particularblockchain for registering important documents, and a significantpercentage of that country's population has accumulated wealth in acryptocurrency that relies upon that particular blockchain. A hostilegovernment may see value in an economic warfare attack that seeks todestroy the accumulated wealth and undermines trust in the government'simportant documents. Even if the threats described above (e.g., obscenematerial rendering possession of a blockchain copy illegal, and miningbeing controlled by hostile interests) do not materialize for years ordecades, their possible inevitability places a potential end date ontrust for information that is supposedly protected by such blockchains.A blockchain without such risks to its long-term viability may provide asuperior trust element.

Ironically, a solution to such risks preceded, by nearly two decades,the explosive growth of blockchains that was brought on by Bitcoin. TheHaber-Stornetta solution, which dates back to the early 1990's, uses apermissioning entity that adds records to an ever-growing chain. Thepermissioning entity is able to screen submissions and publishes recordsthat are safe for possession (i.e., they do not contain problematicmaterial). The records include hash values (message digests) in the formof hexadecimal numbers, and some labels that are likely to be innocuous.Such a solution has the potential of longevity for as long as thepermission entity is operating in a trustworthy manner, has sufficientfunding, and does not depend on the continued existence of a widespreadhonest mining community.

Additionally, the Haber-Stornetta solution also introduces anout-of-band date proof in the form of a classified advertisement,containing a hash value of the most recent content that is chained toprior content by earlier hash values. This trust element is published ina permanent public record, the New York Times newspaper. However, theHaber-Stornetta solution was designed to enhance trust in a timestampingagency (TSA, a.k.a. trusted timestamping authority), rather than beingdesigned to facilitate fully independent, external verification of theintegrity and no-later-than date-of-existence of digital content (i.e.,verification may be accomplished by external actors, independently,without needing to involve the TSA in any manner). Although theHaber-Stornetta solution was designed to enable the TSA to prove thatits timestamping values are accurate (at least to within the timeframesupported by the classified advertisement publications), a new threathas emerged to blockchains operated by permissioning entities.

Even an honest permissioning entity (i.e., a permissioning entitystaffed by honest people who do not attempt to forge or otherwisefalsify records, despite potential bribery and blackmail attempts) mayhave its computer networks infiltrated by an advanced persistent threat(APT). If, for example, a particular blockchain is used by onegovernment for important military-related information, attackers thatare paid by or are otherwise sympathetic to a second, hostile governmentmay attempt to hide malicious logic (i.e., an APT) on the computernetwork of the blockchain's permissioning entity. Such malicious logicmay alter received records (or timestamps associated with those records)that are accumulating and awaiting generation of the hash value for theclassified advertisement or other out-of-band date proof. Independent,external verification of a blockchain's integrity may do more thanmerely insulate a permissioning entity from accusations of falsifyingrecords. In some scenarios, it may enable detection of APT activity thatis occurring on the permissioning entity's computer network that affectsblockchain records, but yet has not been noticed by the permissioningentity itself.

Examples of important information that may require integrityverification include large data sets produced by the operation ofsensitive industrial systems. Plain text data files may feature millionsof records of quantitative readings. The size and density of informationin some of the files may permit an attacker to hide modifications (e.g.,a single altered value in a large data record may escape detection)until after damage occurs. For example, such an attack has the potentialto spoil the authenticity of sensitive data, thereby destroying thevalue of the entire data set for downstream analytics that rely upon itslong-term integrity\.

BRIEF DESCRIPTION OF THE DRAWINGS

The disclosed examples are described in detail below with reference tothe accompanying drawing figures listed below:

FIGS. 1, 2A, 2B, 3A, 3B, 4A, 4B, 5A, and 5B illustrate exemplary stagesof an attacker attempting to induce a producer into inserting maliciousdigital content into a product for a user.

FIG. 6A illustrates an exemplary scenario in which a developer leveragesa blockchain with out-of-band date proof to pre-emptively frustrate theattacker's efforts shown in FIGS. 1-5B.

FIG. 6B illustrates an exemplary out-of-band date proof.

FIGS. 7 and 8 illustrate an exemplary scenario in which the producerdetects the attacker's efforts and correctly decides to use thedeveloper's digital content.

FIGS. 9 and 10 illustrate a process that may be used with the scenariodepicted in FIGS. 7 and 8.

FIG. 11 illustrates various options for generating message digests (hashvalues) for digital content, to link records, and/or to link blocks.

FIG. 12 illustrates a process of generating records for digital content,chaining records, assembling blocks, and chaining blocks to produce ablockchain with multi-tier chaining.

FIG. 13 illustrates various options for the multi-tier chaining.

FIG. 14 illustrates various options for deduplication with multi-tierchaining.

FIG. 15 illustrates various options for record content.

FIG. 16 illustrates various uses for record link fields.

FIG. 17 illustrates a flowchart of exemplary operations associated withrendering blockchain operations resistant to advanced persistent threat(APTs).

FIG. 18 illustrates a flowchart of exemplary operations associated usinglinking blockchain records to identify certification, track pedigree,and/or identify superseded digital content.

FIG. 19 illustrates a flowchart of exemplary operations associated withusing blockchain records with third party digital signatures as a trustelement for high-risk digital content.

FIG. 20 illustrates an exemplary arrangement that implements aspects ofblockchain operations described in referenced to other figures herein.

FIG. 21 illustrates a stratified and segmented storage solution suitablefor use with various classification levels of information registeredwith a common blockchain.

FIGS. 22-25 illustrate flowcharts of exemplary operations associatedwith disclosed examples of blockchain operations.

FIG. 26 illustrates a block diagram of a computing device suitable forimplementing various aspects of the disclosure.

DETAILED DESCRIPTION

A blockchain is disclosed that provides multiple advantageous featuressimultaneously or independently, including rendering blockchainoperations resistant to advanced persistent threats (APTs), providingthird party digital signatures as an additional trust element forhigh-risk digital content, linking blockchain records to track pedigreeand identify obsolete digital content (i.e., digital content registeredin the blockchain that has been superseded), and other advantages.Aspects of the disclosure include chaining records as they are submittedand then including those records, still chained, within blocks that arechained—thus providing two tiers of chaining: record chaining and blockchaining. Multiple options exist for interleaving the chaining ofrecords with the chaining of the blocks, and handling duplicate records.Aspects of the disclosure include integrating an out-of-band date proofwith third party digital signatures, such as the permissioning entity'sdigital signature on a record submission and a certification entitydigital signature indicating that the digital content associated with ablockchain record has been examined and is trustworthy (e.g., thecertification entity has expertise to certify that the digital contentis free from malicious logic), in addition to the digital signature ofthe developer of the digital content (or other data owner). Aspects ofthe disclosure include using link fields to track pedigree of digitalcontent, by enabling a data user (e.g., a data owner or a data consumer)to track revision history within the blockchain, and also to enable thedata user to ascertain whether the digital content being investigated isthe current copy or whether a superseding copy has been registered inthe blockchain.

Of the five pillars of information assurance: (1) availability, (2)authenticity, (3) confidentiality, (4) integrity, and (5)non-repudiation, aspects of the disclosure directly address providingfor improved assurances of authenticity and integrity. In some examples,improved non-repudiation may also be provided. Common availability andconfidentiality measures are compatible with this disclosure, and may beprovided using standard techniques such as encryption and recoverysystems. Aspects of the disclosure leverage a simple, yet powerful,concept: one of the few places that an attacker (“hacker”) cannot breakinto is a calendar date that has already passed. That is, a sufficientlyskilled attacker with sufficient resources may breach systems that arehighly secure, and may even plant APTs that remain undetected for manyyears, but no attacker is able to get into a time machine, go back intime, and perform a task as simple as placing a classified advertisementin a newspaper at a date that has already passed. This is one of therare certainties in an environment in which few systems may beconsidered to be solidly secure against any attack.

FIGS. 1, 2A, 2B, 3A, 3B, 4A, 4B, 5A, and 5B illustrate exemplary stagesof an attacker attempting to induce a producer into inserting maliciousdigital content into a product for a user. FIG. 1 demonstrates a problemthat may be solved using aspects of the disclosure. In an arrangement100, a producer 102 is providing a product 104 to a user 108. Product104 may be an integrated circuit (IC) or another complex computingproduct. Producer 102 intends to use digital content, such as digitalcontent 114 from a developer 110 within product 104. Digital content 114is annotated with a “C” to indicate that it is clean of malicious logic.If producer 102 were able to obtain digital content 114 by takingphysical delivery from developer 110 in a secure manner, producer 102could authenticate the identity of developer 110, developer 110 couldassure producer 102 of the integrity of digital content 114, anddeveloper 110 could not repudiate digital content 114. In thisarrangement, developer 110 acts in the role of a data owner 111, andboth producer 102 and user 108 act in the roles of data consumers 109.It should be understood that some other entity may take possession ofdigital content 114 from developer 110 and act in the role of data owner111, to distribute digital content 114 and assure its integrity (asdescribed below for developer 110).

Unfortunately, however, rather than taking physical delivery of digitalcontent 114 from developer 110 in a secure manner, producer 102 obtainsdigital content 114 remotely, over a network 130. This means thatauthenticity, integrity, and non-repudiation require additional effort.For example, producer 102 may not have certainty that the digitalcontent received is not malicious digital content 124 (annotated with an“M” to indicate malicious content) from an attacker 120. Attacker 120may be attempting to insert malicious logic into the supply chain ofproducts by user 108. In general, producer 102 and user 108 may beconsidered to be data consumers 109. In some examples, producer 102obtains at least digital content 114 from a data custodian 112 that mayprovide storage of digital content 114. For example, developer 110 maysubmit digital content 114 to data custodian 112 for storage and laterretrieval by data consumers 109 (e.g., producers 102 and/or users 108).In some examples, data custodian 112 is the entity that submits digitalcontent 114 into a blockchain 410 and/or acts as a permissioning entity440 for blockchain 410 (see FIG. 4A and its description below). Forclarity of illustration, data custodian 112 is not shown in thesubsequent figures, although it should be considered to be a possibleactor in any of the scenarios described below, along with a potentialmalicious (spoofed) data custodian that facilitates the activities ofattacker 120 in inserting malicious digital content 124 into the supplychain relied upon by user 108.

Authenticity and integrity may be established using, for example, anarrangement 600 shown in FIG. 6A and a process shown in FIGS. 9 and 10.Non-repudiation may be achieved by developer 110 digitally signingdigital content 114, and further improved upon by using optional aspectsof arrangement 600 and the process shown in FIGS. 9 and 10.

FIGS. 2A-5B illustrate attempts to establish authenticity and integritythat retain vulnerability to attacker 120 (commonly called a “hacker”)inducing producer 102 to use malicious digital content 124 in place ofclean digital content 114. As illustrated in FIG. 1, producer 102 is inpossession of both clean digital content 114 and malicious digitalcontent 124, and must decide, with a decision process 106, which ofdigital content 114 and malicious digital content 124 to place inproduct 104 for delivery to user 108. Malicious digital content 124 isannotated with an “M” to indicate that it contains malicious logic. Inthe scenarios depicted herein, attacker 120 is attempting to compromiseproduct 104, for example, by surreptitiously exfiltrating data collectedor generated by user 108, selectively impairing the functionality ofproduct 104, or performing some other cyber-attack that leveragespre-positioned malicious logic. For the scenarios depicted herein,attacker 120 is sufficiently skilled at hiding malicious logic thatdecision process 106 might not reliably detect hidden malicious logicwithin malicious digital content 124.

FIG. 2A shows an arrangement 200 that introduces a certification entity210. Certification entity 210 generates a certificate 214 that certifiesdigital content 114 as being clean of malicious logic (e.g., has beenexamined and is trustworthy). Certificate 214 may be a digitalcertificate, digitally signed by certification entity 210. Certificationentity 210 uses analysis and/or testing in a certification process 216that is able to detect malicious logic within digital content with ahigh degree of certainty. In some examples, the expertise and functionof certification entity 210 is provided by producer 102, which providesa form of self-certification. In some examples, the expertise andfunction of certification entity 210 is provided by permissioning entity440. In some examples, the function of certification entity 210 is notprovided. In some examples, the expertise and function of certificationentity 210 is provided by a dedicated entity, neither producer 102, norpermissioning entity 440.

Concentrating the expertise within a special, dedicated certificationentity 210, rather than expecting each of multiple producers 102 to havecomparable capability, may provide efficiencies. For example, there maybe a single certification entity 210 supporting multiple producers 102.A single certification entity 210 may then specialize in detailedanalysis of digital content, searching for malicious logic, employing amore select set of subject matter experts in the relevant technologyfield. The multiple producers 102 then do not require the same degree ofexpertise, so they may concentrate on generating products rather thanfighting over a possibly small set of subject matter experts. In someexamples, there may be a combination of self-certification, in whicheach producer 102 certifies that certain secure practices had beenfollowed, and certification entity 210 certifies that there had been anindependent assessment (i.e., either an audit of the practices ofproducer 102, and/or an independent assessment of the content of digitalcontent 114).

Developer 110 submits digital content 114 to certification entity 210for certification. Certification entity 210 examines digital content 114for malicious logic and, finding none, certifies digital content 114 asbeing clean of malicious logic with certificate 214. Certificationentity 210 then sends certificate 214 back to developer 110. Producer102 is aware of certification entity 210 and seeks to operateefficiently by leveraging the expertise of certification entity 210.Thus, producer 102 develops a one-stage test 230 for received digitalcontent, and incorporates one-stage test 230 into decision process 106.The single stage is a certificate test 231.

Unfortunately, attacker 120 is also aware of certification entity 210and one-stage test 230, and so spawns a spoofed certification entity 220that produces a false certificate 224. False certificate 224 falselycertifies malicious digital content 124 as being clean of maliciouslogic. For this attack set-up to succeed, producer 102 will bemisdirected to spoofed certification entity 220, either instead of (oreven in addition to) rather than legitimate certification entity 210.Spoofing websites is an achievable attack, by multiple methods, for asufficiently-skilled attacker.

FIG. 2B is an alternative set-up by attacker 120, in which attacker 12surreptitiously inserts false certificate 224 into a database ofcertificates issued by certification entity 210. Surreptitiouslyinserting malicious data, into even supposedly secure websites, is anachievable attack for a sufficiently-skilled attacker (e.g., anation-state attacker or a well-funded organization). Thus, despitecertification entity 210 attempting to maintain security, the presenceof surreptitiously-inserted falsified data should be considered to be apossibility in many scenarios.

FIG. 3A demonstrates the exploitation of the attack set-up of FIG. 2A.As part of one-stage test 230, producer 102 sends an inquiry 311 a,which may have been intended for certification entity 210. However,inquiry 311 a is diverted to spoofed certification entity 220, whichresponds with false certificate 224 in a response 321 a. For example, arouter compromise 331 may intercept the internet protocol (IP) addressof a server run by certification entity 210 (sent from an internetbrowser or other software run by data consumer 109 in an attempt toobtain certificate 214) and replace it with the IP address of spoofedcertification entity 220. Certificate test 231 then passes, improperly,because data consumer 109 received false certification 224, believing itto be legitimate certificate 214. Mistakenly trusting false certificate224, producer 102 improperly identifies malicious digital content 124 asgood (i.e., clean of malicious logic) and uses malicious digital content124 in product 104. Product 104 is thus compromised, potentially harminguser 108 or providing attacker 120 with data that user 108 had intendedto keep confidential.

FIG. 3B demonstrates the exploitation of the attack set-up of FIG. 2B.As part of one-stage test 230, producer 102 sends an inquiry 311 b tocertification entity 210, and feels confident in one-stage test 230because response 321 b can be authenticated as coming from certificationentity 210. However, because inquiry 311 b was generated for maliciousdigital content 124, and certification entity 210 possesses falsecertificate 224 (due to surreptitious insertion) certification entity210 responds with false certificate 224. Thus, certification entity 210mistakenly validates malicious digital content 124. This may occurbecause response 321 b may be automated and/or because of the relianceof certification entity 210 on digital records. When an automated systemrelies upon digital records, the possibility of the automated systemproviding improper responses (due to surreptitiously-inserted falsifieddata) should be considered to be a possibility in many scenarios.

FIG. 4A shows an arrangement 400 that additionally introduces ablockchain 410. In some examples, blockchain 410 uses off-chain storage,in which document content is not stored within blockchain 410, butinstead documents are represented by records that contain hash values(hash function message digests) of the documents. The SHA-256 hashfunction is commonly used in blockchains, although using a combinationof SHA-512 and SHA-1, so that a document record contains both a SHA-512message digest and a SHA-1 message digest, may offer superior resistanceto second preimage attacks. A second preimage attack may occur when anattacker alters a first part of a document (which would produce adifferent message digest) and then alters a second part of the documentso that hashing the document produces the original message digest. Theadvent of quantum computing and some countries' governments fundingresearch by mathematicians means that second preimage attacks againstthe SHA-256 hash function should not be considered to be computationallyinfeasible indefinitely. One consideration is that a hash functionshould be used that accommodates the number of potential data ownerentries submitted to the blockchain over its viable operationallifetime, while mitigating hash value collisions.

In some examples, blockchain 410 is operated by a permissioning entity440 that approves or denies the inclusion of records in blockchain 410.Permissioning entity 440 enforces rules for records, such as format,content (i.e., only message digests and administrative data, such asrecord linking data), and that the submitter be approved for submittingto the blockchain (i.e., the submitter belongs to a particularorganization and/or pays a required fee for the right to submitrecords). Off-chain storage offers advantages including a more compactblockchain, the ability to exclude problematic material, and the abilityto distribute copies of blockchain 410 widely, without also distributingcopies of the documents registered within blockchain 410.

Developer 110 and/or certification entity 210 generates records 412 and414 for digital content 114 and certificate 214, respectively, andsubmits records 412 and 414 to blockchain 410. For example, record 412is generated for digital content 114 and record 412 is generated forcertificate 214, and may include message digests for digital content 114and certificate 214, respectively. Further detail on format and contentfor records is provided in relation to FIGS. 15 and 16, and furtherdetail on generation of message digests is provided in relation to FIG.11. In some examples, records 412 and 414 are linked with a record link416. In some examples, record link 416 is the creation of a singlerecord that includes message digests for both digital content 114 andcertificate 214. This may be accomplished by hashing the concatenationof digital content 114 and certificate 214, or alternatively by hashingthe concatenation of a message digest for digital content 114 and amessage digest for certificate 214. In some examples, record link 416may be cross-reference (or one-way) linking information placed withinindividual records 412 and/or 414 that reference the other record, asindicated in FIGS. 15 and 16. In some examples, records 412 and 414 aregenerated using digital signatures of developer 110 and/or certificationentity 210, in order to provide for non-repudiation. Digital signaturesmay be signatures of the data itself (e.g., digital content 114 orcertificate 214) or of message digests of the data.

Records 412 and 414 are submitted to permissioning entity 440, alongwith record link 416, who approves the records and record link 416 forinclusion in blockchain 410. Records 412 and 414, along with record link416, appear in block 411 a of blockchain 410. Block 411 a is annotatedwith a “C” to indicate that it contains record 412 for clean digitalcontent 114. With the availability of blockchain 410 to hold records fordigital content 114 and certificate 214, producer 102 adds a secondstage, blockchain test 432 (i.e., added to certificate test 231),thereby creating a two-stage test 430 for received digital content.Producer 102 incorporates two-stage test 430 into decision process 106.

Unfortunately, attacker 120 is also aware of blockchain 410 andtwo-stage test 430, and so spawns a spoofed blockchain 420 that mayappear to any user over network 130 to be legitimate blockchain 410.Spoofed blockchain 420 holds a record 422 for malicious digital content124, a record 424 for false certificate 224, and a record link 426 thatlinks records 422 and 424. Records 422 and 424 and record link 426 mayhave the same format as records 412 and 414 and record link 416, andtherefor appear (at least superficially) to be legitimate. Records 422and 424, along with record link 426, appear in block 421 a of spoofedblockchain 420. Block 421 a is annotated with an “M” to indicate that itcontains record 422 for malicious digital content 124, which containsmalicious logic.

However, together, spoofed blockchain 420 and spoofed certificationentity 220 provide the appearance that malicious digital content 124 andfalse certificate 224 may be as legitimate as digital content 114 andcertificate 214. If producer 102 is unaware that attacker 120 (or anentity cooperating with attacker 120) has spawned spoofed blockchain 420and spoofed certification entity 220, producer 102 may improperly trustspoofed blockchain 420 and spoofed certification entity 220 and includemalicious digital content 124 in product 104.

FIG. 4B is an alternative set-up by attacker 120, in which attacker 120submits records 422 and 424 and record link 426 to blockchain 410.Permissioning entity 440 includes records 422 and 424 and record link426, either by mistake or because attacker 120 had obtained thecredentials necessary to submit records to blockchain 410. Becauserecord 422 contains a message digest for malicious digital content 124,rather than the actual content of malicious digital content 124,permissioning entity 440 is unable to ascertain whether record 422represents anything containing malicious logic.

An important note, however, is that if the blocks of blockchain 410 areclosed out at a sufficiently rapid pace, by the time attacker 120 isable to produce all of malicious digital content 124, record 422, falsecertificate 224, record 424, and record link 426, block 411 has alreadybeen closed. The earliest block for which records 422 and 424 and recordlink 426 may be included is block 411 b of blockchain 410. This may beexpected, because attacker may not be aware of the opportunity toproduce a malicious logic version of digital content 114 until afterdigital content 114 is completed. This assumption requires thatdeveloper 110 maintain proper security during development so thatattacker 120 does not have a head start on producing malicious digitalcontent 124, record 422, false certificate 224, record 424, and recordlink 426.

Block 411 b is annotated with an “M” to indicate that it contains record422 for malicious digital content 124, which contains malicious logic.This later appearance of record 422 in block 411 b (or 421 a—which willalso be later than block 411 a for the reasons described) may beleveraged as described in relation to FIGS. 7 and 8. Unfortunately,arrangement 400 is not configured to use this time difference in themanner that arrangement 600 of FIG. 6 is able do. With brief referenceback to FIG. 4A, it is important to note than even though block 421 awill be closed after 411 a according to true timekeeping, spoofedblockchain 420 may falsify timestamps in order to assist attacker 120with maintaining the deception that malicious digital content 124 islegitimate.

FIG. 5A demonstrates the exploitation of the attack set-up of FIG. 4A.As part of two-stage test 430, producer 102 sends an inquiry 512 a,which may have been intended for blockchain 410. However, inquiry 512 ais diverted to spoofed blockchain 420, which responds with records 422and 424 and record link 426 in a response 522 a. For example, a routercompromise 532 may intercept the IP address of a server holdingblockchain 410 (sent from an internet browser or other software run bydata consumer 109 in an attempt to obtain a copy of blockchain 410) andreplace it with the IP address of spoofed blockchain 420. In somescenarios, response 522 a includes a falsified timestamp. Producer 102has no way to independently validate a timestamp received from spoofedblockchain 420, and so blockchain test 432 passes, improperly.Mistakenly trusting false certificate 224, because of finding records422 and 424 and record link 426 within spoofed blockchain 420 (andtrusting a potentially falsified timestamp), producer 102 improperlyidentifies malicious digital content 124 as good (i.e., clean ofmalicious logic) and uses malicious digital content 124 in product 104.Product 104 is thus compromised, potentially harming user 108 orproviding attacker 120 with data that user 108 had intended to keepconfidential.

FIG. 5B demonstrates the exploitation of the attack set-up of FIG. 4B.As part of two-stage test 430, producer 102 sends an inquiry 512 b toblockchain 410, and feels confident in two-stage test 430 becauseresponse 522 b can be authenticated as coming from blockchain 410.However, because inquiry 512 b was generated for records 422 and 424 andrecord link 426, which do appear within blockchain 410, the assurancesupposedly provided by blockchain 410 should not be trusted. It shouldbe understood that, although blockchains can validate the presence andlocation of records, they do not actually verify the accuracy orcorrectness of the contents of those records. Thus, blockchain 410offers limited value. It does offer value, but the limitations of itsvalue should be properly appreciated.

FIG. 6A illustrates an exemplary scenario in which a developer leveragesa blockchain with out-of-band date proof to pre-emptively frustrate theattacker's efforts shown in FIGS. 1-5B. FIG. 6A shows an arrangement 600that additionally introduces an out-of-band date proof 610 that may beused to validate timestamps in blockchain 410. Out-of-band date proof610 may be a public record with easy date verification, and suchwidespread dissemination that attacker 120 cannot possibly hope to forgeall copies of out-of-band date proof 610 that may be available toproducer 102. An example out-of-band date proof 610 is illustrated inFIG. 6B, which is a page from the USA Today newspaper. Another exampleout-of-band date proof 610 may be a notice placed in the FederalGazette, or another widely-disseminated news source.

Out-of-band date proof 610 has a specific date proof element 641 for aclosed block of an example blockchain. Specific date proof element 641includes a concatenation of a SHA-512 message digest and a SHA-1 messagedigest for a closed block. Anyone who obtains a copy of that block, andindependently hashes it, will be able to trust that the block hadexisted no later than a provable date 642, merely by comparing theindependently-calculated message digests with specific date proofelement 641. Provable date 642 may be identified as a specific day on acommon calendar 612.

Returning to FIG. 6A, arrangement 600, which is able to advantageouslyleverage provable date 642 for a record within blockchain 410 will befurther described. In addition to obtaining certificate 214, andregistering records 412 and 414 and record link 416 in blockchain 410,developer 110 generates a publicity element 611, identifying ordescribing digital content 114 (e.g., by name and/or function), forout-of-band date proof 610. For example, publicity element 611 mayinclude a description of digital content 114, along with a messagedigest (e.g., SHA-1, SHA-256, SHA-512, or any concatenated combination).In some examples, publicity element 611 identifies block 411 a and/orspecific date proof element 641.

A desirable aspect of out-of-band date proof 610 is that, uponpublication, it is disseminated so widely that the information containedin the publication is outside the control of anyone. This means that,once published, no one is able to forge a copy without detection,because multiple original (unforged copies) will remain in thepossession of a large number of parties, each with disparate interests.For example, producer 102 and user 108 may obtain copies of out-of-banddate proof 610 shortly after its publication with publicity element 611and/or specific date proof element 641. Producer 102 and user 108 mayretain their own copies, under their own control, so that at a latertime, when they receive digital content 114 (i.e., producer 102 receivesdigital content 114 directly, whereas user 108 receives digital content114 within product 104), producer 102 and user 108 have the ability toindependently verify a no-later-than date-of-existence for digitalcontent 114 using out-of-band date proof 610. This means that, ifattacker 120 did not have time to forge malicious digital content 124prior to the verifiable no-later-than date-of-existence for digitalcontent 114, producer 102 and user 108 have the ability to screen outmalicious digital content 124 from use by user 108 in product 104, nomatter how skilled attacker 120 may be in disguising the maliciouslogic. In some examples, out-of-band date proof 610 provides anelectronic interface 610 a, such as a searchable website storingarchives of past publications.

This provides an advantageous feature of the disclosure over blockchainsthat do not leverage an out-of-band date proof mechanism. Aspects of thedisclosure provide for independent, external verification of blockchaincontent. Such a feature may not be available in traditional blockchains.

Upon entering records 412 and 414 and record link 416 in blockchain 410,and closing block 411 a, permissioning entity 440 publishes blockchain410 for dissemination and generates specific date proof element 641 forclosed block 411 a. Out-of-band date proof 610 publishes specific dateproof element 641 and publicity element 611, and disseminates copies sowidely, that attacker 120 has no opportunity to forge all of the copies.Certification entity 210 may also publicize the date that certificationentity 210 certifies digital content 114, as this date may likely bedelayed due to length of the certification process 216. This provides asecond out-of-band date proof to mitigate possible collusion betweendeveloper 110 and attacker 120 who might attempt to underminecertification entity 210. In some examples, certification entity 210 maybe a government entity, for example a Department of Defense (DoD) orother US government entity.

Permissioning entity 440 may use the later out-of-band date proof (e.g.,a later version of out-of-band date proof 610) for certificate 214 fromcertification entity 210 to verify the date for certificate 214 and/oruse both out-of-band date proof 610 for digital content 114 and thelater out-of-band date proof for certificate 214 to ensure that it isdigital content 114, and not malicious digital content 124 that isregistered in blockchain 410. The use of widespread publicity and publicrecords that are too widely dispersed, with too many copies, to bealtered after dissemination, along with blockchain 410 being publiclyinspectable provides a mechanism for c records as a mechanism to provideongoing defense against a Byzantine fault. Even in the event that one ofdeveloper 110, certification entity 210, and permissioning entity 440colludes with attacker 120 to substitute malicious digital content 124for digital content 114, a data consumer 109 (e.g., producer 102 and/oruser 108) would be able to detect this attempt and avoid inadvertentlyusing malicious digital content 124 if 109. The use of digitalsignatures by developer 110, certification entity 210, and permissioningentity 440 within records of blockchain 410 further hardens thisprotection. The larger the community of data consumers (e.g., community2120 of FIG. 21) that inspects blockchain 410 and verifies the integrityof records and blocks against out-of-band date proof 610, and verifiesthe digital signatures of developer 110, certification entity 210, andpermissioning entity 440, the more robust blockchain 410 becomes againstforgery attempts.

At this point, anyone will be able to ascertain with certainty thatrecords (e.g., records 412 and 414) that appear within block 411 aexisted no later than provable date 642 (of FIG. 6B), but no suchcertainty may exist for any records (e.g., records 422 and 424) thatonly just first appeared within block 411 b. Thus, out-of-band dateproof 610 provides a way to differentiate between digital content 114and malicious digital content 124.

Producer 102 adds a calendar test 633 to certificate test 231 andblockchain test 432, to create a three-stage test 630 for receiveddigital content, to use in decision process 106. As will be described inrelation to FIG. 7, calendar test 633 is able to differentiate betweendigital content 114 and malicious digital content 124.

FIGS. 7 and 8 illustrate an exemplary scenario in which the producerdetects the attacker's efforts and correctly decides to use thedeveloper's digital content. FIG. 7 demonstrates how producer 102leverages out-of-band date proof 610 to detect that attacker 120 isattempting to substitute malicious digital content 124 (with maliciouslogic) for clean digital content 114—even when attacker 120 expendssufficient effort to create plausible false certificate 224, falserecords 422 and 424, and/or spoofed blockchain 420 with falsifiedtimestamps. In some examples, producer 102 queries out-of-band dateproof 610 electronically, using electronic interface 610 a, or using apublished paper copy available at a library, or using a trustedrepository of archived document that may be unknown to attacker 120. Insome examples, producer 102 consults its own copy of out-of-band dateproof 610 that it obtained per FIG. 6A. User 108 may also independentlyquery out-of-band date proof 610, or use its own copy of out-of-banddate proof 610.

Despite certificate test 231 and blockchain test 432 passing withmalicious digital content 124, when calendar test 633 compares dateinformation for malicious digital content 124 (e.g., a timestamp fromspoofed blockchain 420) with out-of-band date proof 610, calendar test633 fails. This may be because an inquiry 713 to out-of-band date proof610 results in a response 723 that fails to provide confirmation of therelevant date. This may be because no message digest or specific dateproof element 641 can be found to exist as of the date identified inpublicity element 611, that links to malicious digital content 124. Ifany reference to malicious digital content 124 does exist withinout-of-band date proof 610, it will be for a later block (e.g., block411 b).

FIG. 8 demonstrates how producer 102 is able to trust digital content114, so that digital content 114 may be used in product 104. Certificatetest 231 passes when an inquiry 811 to certification entity 210 resultsin a response 821 that identifies certificate 214. Blockchain test 432passes when an inquiry 812 to blockchain 410 results in a response 822that identifies records 412 and 414 and record link 416. Calendar test633 passes when an inquiry 813 to out-of-band date proof 610 results ina response 823 that identifies specific date proof element 641 thatmatches publicity element 611.

FIGS. 9 and 10 illustrate a process of using arrangement 600, and shouldbe viewed together, along with FIGS. 6 and 8. FIG. 9 is in a flowchartform, showing a flowchart 900, and FIG. 10 is in a message sequenceform, showing a message sequence diagram 1000. In some examples, atleast a portion of flowchart 900 may be performed using one or morecomputing devices 2600 of FIG. 26. Developer 110 develops digitalcontent 114 at 902, and data owner 111 (which may be developer 110 oranother entity acting as the primary data owner in place of developer110) submits digital content 114 to certification entity 210 at 904.Certification entity 210 examines digital content 114 for maliciouslogic (using certification process 216) at 906 and, finding no maliciouslogic, certifies digital content 114 with certificate 214 at 908.Certification entity 210 sends certificate 214 to data owner 111 at 910.

Data owner 111 (or alternatively, certification entity 210) generatesrecord 412 for digital content 114 at 912, generates record 414 forcertificate 214 at 914, and links records 412 and 414 with record link416 at 916. Data owner 111 (or alternatively, certification entity 210)generates publicity element 611 to publicize the date of thecertification of digital content 114 and submits it to out-of-band dateproof 610 at 918. At a later stage, publicity element 611 will providethe no-later-than date-of-existence for record 412, to which specificdate proof element 641 will be compared. Thus, it may be preferable fordata owner 111 to craft publicity element 611 to refer to provable date642 for specific date proof element 641. This may require publishingpublicity element 611 contemporaneously, or shortly after publishingspecific date proof element 641. The shorter the delay betweenpublishing specific date proof element 641 and publishing publicityelement 611, the less time attacker 120 will have to race to completionof malicious digital content 124 with malicious logic. Data owner 111(or alternatively, certification entity 210) submits records 412 and 414and record link 416 to blockchain 410 (via permissioning entity 440) at920.

Permissioning entity 440 approves records 412 and 414 and record link416 for inclusion in blockchain 410 at 922 and enters them into(currently open) block 411 a at 924. Permissioning entity 440 closesblock 411 a at 926 and publishes the latest version of blockchain 410with block 411 a at 928. In some examples, blocks are closed out on aschedule, such as hourly, daily, or upon the lapse of another set timeperiod. At 930, permissioning entity 440 generates specific date proofelement 641 for block 411 a, which may be one or more message digests ofblock 411 a that are used to chain block 411 a with subsequent block 411b. Permissioning entity 440 also submits specific date proof element 641for block 411 a to out-of-band date proof 610 for publication and widedissemination. Out-of-band date proof 610 is available to both producer102 at 930 a and user 108 at 930 b, as shown in FIG. 10. Producer 102and user 108 may retain their copies of out-of-band date proof 610 undertheir own control so that, at a later time, they may trust their owncopies of out-of-band date proof 610 (at 940 b and 948 c, describedbelow). Together, operations 902-930 form an integrity and date proofset-up operation 932.

Operations 934-948 together form an integrity and date verificationoperation 950. At 934, producer 102 receives digital content candidates,for example clean digital content 114 from data owner 111 and alsomalicious digital content 124 from attacker 120. At this point, producer102 does not know which of digital content 114 and malicious digitalcontent 124, if either, should be trusted. Producer 102 performscertificate test 231 at 936, for example determining whether certificate214 exists for digital content 114. In some examples, producer 102queries certification entity 210 directly, at 936 a (FIG. 10), as partof certificate test 231. If certificate test 231 fails, producer 102will reject the digital content candidate at 952, and move to the nextdigital content candidate. However, for the examples, digital content114 and malicious digital content 124, certificate test 231 is passed.Producer 102 performs blockchain test 432 at 938, for exampledetermining whether records for certificate 214 and digital content 114may be found within blockchain 410 and are linked. In some examples,producer 102 queries blockchain 410 directly, at 938 a (FIG. 10), aspart of certificate test 2432. If blockchain test 432 fails, producer102 will reject the digital content candidate at 950, and move to thenext digital content candidate. However, for these examples, digitalcontent 114 and malicious digital content 124, blockchain test 432 ispassed (with malicious digital content 124 being found within spoofedblockchain 420).

Producer 102 performs calendar test 633 at 940, for example, determiningwhether specific date proof element 641 matches a provable no-later-thandate-of-existence found in publicity element 611 that describes oridentifies digital content 114. In some examples, producer 102 queriesout-of-band date proof 610 directly, at 940 a (FIG. 10), as part ofcalendar test 633. In some examples, producer 102 queries out-of-banddate proof 610 electronically, using electronic interface 610 a, orusing a published paper copy available at a library, or using a trustedrepository of archived document that may be unknown to attacker 120. Insome examples, producer 102 consults its own copy of out-of-band dateproof 610 that it obtained at 940 b.

If calendar test 633 fails, producer 102 will reject the digital contentcandidate at 950, and move to the next digital content candidate.Malicious digital content 124 will fail at this point, because theearliest provable no-later-than date-of-existence is the date of block411 b, which is after the date of block 411 a. However, for digitalcontent 114, calendar test 633 is passed. Producer 102 identifiesdigital content 114 as clean from malicious logic at 942, uses digitalcontent 114 in product 104 at 944, and delivers product 104 to user 108at 946. At 948, user 108 is able to independently check that digitalcontent 114, represented by producer to be within product 104 had beenregistered in blockchain 410 no later than the date indicated byout-of-band date proof 610. In some examples, user 108 queriesblockchain 410 directly at 948 a (FIG. 10) and then queries out-of-banddate proof 610. In some examples, user 108 queries out-of-band dateproof 610 directly, at 948 b, for example electronically, usingelectronic interface 610 a, or using a published paper copy available ata library, or using a trusted repository of archived document that maybe unknown to attacker 120. In some examples, user 108 consults its owncopy of out-of-band date proof 610 that it obtained at 948 c.

FIG. 11 illustrates three generic arrangements for generating messagedigests (indicated in the figure as hash values) for digital content, tochain records, and/or to chain blocks of the blockchain. In anarrangement 1100, digital content 114 is passed to two hash functions,hash function 1101 and hash function 1102. Each of these may be, forexample, any of the hash functions in the SHA family, such as the SHA-1,SHA-2 family, or SHA-3 family, or another hash function. In one example,hash function 1101 is the SHA-256 and hash function 1102 is the SHA-512.In some examples, hash function 1101 is the SHA-1. Although the SHA-1has a shorter message digest than the SHA-256, and already has reportedcollisions, it uses a different computational structure than theSHA-512. In contrast, the computational structures of the SHA-256 andthe SHA-512 are similar. There is a possibility that, if a computationalexploit is found to shortcut a second preimage attack against theSHA-256 (as opposed to a brute force attack), there may be synergisticeffects for a computational exploit to facilitate a second preimageattack against the SHA-512. Such a scenario means that a singlecomputational exploit may weaken arrangement 1100 when hash function1101 is the SHA-256 and hash function 1102 is the SHA-512. In contrast,without a computational exploit that is simultaneous for both the SHA-1and the SHA-512, even if computational exploits are found for each hashfunction independently, the use of a computational exploit against onehash function may still require a brute force attack against the other.In such a scenario, the use of the SHA-1 as hash function 1101 and theSHA-512 as hash function 1102 may actually be a stronger combinationthan using the SHA-256 as hash function 1101.

Hash function 1101 outputs its message digest as hash value 1111, andhash function 1102 outputs its message digest as hash value 1112. Theseare concatenated to produce an integrity verification code (IVC) 1120.As used herein, an IVC may be a full message digest, a partial messagedigest, or a combination (e.g., concatenation, or other combination) oftwo or more message digests. For example, the SHA-224 has a truncatedmessage digest (by 32 bits) relative to the SHA-256, and the SHA-384 hasa truncated message (by 128 bits) digest relative to the SHA-512. Insome examples, the first or final octet of hexadecimal values of amessage digest may be used, or a larger portion. IVC is used hereininterchangeably with the terms hash value and message digest.

An arrangement 1130 is similar, but with an extra step. Theconcatenation of hash values 1111 and 1112 are passed to a hash function1103, which outputs its message digest as hash value 1113. Hash value1113 is indicated as being represented interchangeably with an IVC 1140.Hash function 1103 may be the same or different as hash function 1101 or1102. One potential advantage to using arrangement 1130 is that asuccessful second preimage attack for hash value 1113 may still requiressuccessful second preimage attacks for both hash values 1111 and 1112,while still using the message digest length of only hash value 1113.

A variation of arrangement 1130 is shown as arrangement 1150 in whichdigital content 114 is hashed with hash function 1104 to produce hashvalue 1114, and hash value 1114 is concatenated with (appended to, orthe reverse) digital content 114 to be hashed with hash function 1105 toproduce hash value 1115 (IVC 1160). The concatenation of hash value 1114and digital content 114 can occur in either order, with either hashvalue 1114 or digital content 114 being first or second. In someexamples, digital content 114 is sandwiched between two different hashfunctions, and the concatenation of the three items is hashed. Hashfunction 1105 may be the same or different as hash function 1104. Insome examples, arrangement 1150 may be quicker than arrangement 1130,because there are only two hash function calculations in arrangement1150, whereas there are three hash function calculations in arrangement1130. Even when hash function 1105 is the same as hash function 1104,resistance to a second preimage attack is increased over that of hashfunction 1104 alone (although perhaps not substantially forcomputational exploits). This is because not only must the secondpreimage attack for hash value 1114 be successful, but also the secondpreimage attack for the concatenation of digital content 114 with hashvalue 1114 (i.e., a second preimage attack against hash value 1115).

FIG. 12 illustrates a process of generating records for digital content,chaining records, assembling blocks, and chaining blocks to produce ablockchain with multi-tier chaining. Multi-tier chaining provides alevel of defense for rendering blockchain operations resistant toadvanced persistent threats (APTs) that may reside within a computernetwork 2030 of permissioning entity 440 (See FIGS. 4A and 20). Ifblockchain 410 is used for establishing trust in sufficientlysignificant digital content (e.g., high-value military-relatedinformation, attacker 120 may attempt to place malicious logic (e.g., anAPT) within computer network 2030 used by permissioning entity 440 togenerate blockchain 410. The specific action of this APT may beunpredictable, and it may remain undetected for an extended period oftime. Therefore, at least some level of defense against a potential APTmay be desirable.

The basic idea is that records, for various digital content, are chainedtogether at a first chaining tier (creating a “record chain”), and thechained records are placed into blocks that are chained together at asecond chaining tier (creating the blockchain, e.g., blockchain 410).The records for the digital content contain message digests (hashvalues, IVCs, which may be partial or full message digests, and mayinclude combinations) for the digital content. The message digests forthe digital content may be considered to be the primary record “payload”because the message digests provide an aspect of trust. Candidate fieldsfor record content are illustrated in FIG. 15.

In some examples, the digital content is submitted to permissioningentity 440, and permissioning entity stores the digital content (actingas a data custodian) and generates the records. In some examples, thegenerator of the digital content (e.g., developer 110) generates therecords and submits only the records to permissioning entity 440, andpermissioning entity 440 does not see the digital content. In eithercase, permissioning entity 440 chains the individual records (similar tothe Haber-Stornetta approach, although there may be some differences.)This provides a record of the order-of-arrival of the individualrecords.

The permissioning entity sets a block accumulation period, starting withthe closing of the prior block, and lasting until the closing of thecurrent block. Records that arrive during the current block accumulationperiod are assigned to the current block. The current block is chainedto the prior block using a message digest, and in some examples, arecord that has the same format (i.e., the same fields and length) as arecord for digital content. Upon expiration of the current blockaccumulation period, the current block is closed, meaning that no newrecords are added to it. A message digest is generated for the currentblock, which will appear in the subsequent block, for example, as arecord for the current block. Out-of-band date proof (e.g., out-of-banddate proof 610) is generated using the message digest or record for thecurrent block, and is publicized for data consumers 109.

Data consumers 109 may download copies of the blockchain, including thenow-closed (formerly current) block. That block will cement the sequenceof prior blocks, with its record (or message digest) of the immediatelyprior block, and will also indicate the order-of-arrival of the recordswithin that block, as received by permissioning entity 440. In somescenarios, data consumers 109 may not obtain a copy of the blockchainuntil significant time has elapsed, for example, several years.Out-of-band date proof has an associated cost, and so in high-volumeblockchain operations, (e.g., hundreds or thousands of records per day),it is not cost-effective to generate out-of-band date proof for eachindividual record. This is why the Haber-Stornetta solution generatedclassified advertisements on only a weekly basis, rather than as eachnew hash value was generated for each incoming document.

However, with blocks closed out on a schedule, such as once daily, threetimes daily, or even hourly (possibly during business hours duringweekdays and less often during weekends and holidays), generatingout-of-band date proof for each block is feasible. The blocks eachprovide proof for no-later-than date-of-existence assertions for alldigital content that is represented by records with in that block. Thetrade-off is reduced time resolution for no-later-than date-of-existence(i.e., all records have the same provable date, no matter when theyarrived during the block accumulation period) in exchange for external,independent verification by data consumers 109.

Thus, properly-informed data consumers 109 will only trust thedate-of-existence of the now-closed (formerly current) block as of theprovable date of the out-of-band date proof—and will not trust theorder-of-arrival of the records within that block. This is because, evenif permissioning entity 440 is perfectly honest, an APT on computernetwork 2030 of permissioning entity 440 may have attempted tomaliciously alter the order-of-arrival information, or even the recordsthemselves, during the block accumulation period. In some cases, forexample, the APT may even generate a new record chain, so that therecord chain appearing within the block appears to be legitimate. So,the order-of-arrival information indicated within the record chain hassome informative value, and may be entirely accurate, but is notindependently verifiable by data consumers 109, and should therefore notbe fully trusted by data consumers 109.

One aspect of value for the record chaining, however, is enablingpermissioning entity 440 to detect the presence of the APT. One possibleapproach is that, during the block accumulate period, permissioningentity 440 sends out the latest message digest that chains the mostrecently-received (or generated) record to the immediately prior one(i.e., the chaining message digest). For example, the chaining messagedigest may be sent to data owner 111 for the digital content thatcorresponds to the most recently-received (or generated) record, or tosome other destination outside of computer network 2030 of permissioningentity 440. In some examples, this may be accomplished immediately uponthe chaining message digest being generated, in order to minimize thetime for the APT to enact malicious alterations.

When the block is closed and publicized, each data owner 111 that hasdigital content corresponding to a record within the now-closed block,should check that the record for their content is within the block, andthat the record has the proper chaining message digest. If either ofthese conditions is not met, data owner 111 should inform permissioningentity 440. Such a detection mechanism may deter attacker 120 fromexposing any APTs that may be present on computer network 2030 ofpermissioning entity 440. Even though permissioning entity 440 and allof data owners 111 may be satisfied that the now-closed block hascorrect order-of-arrival information for all of the records, thisagreement among permissioning entity 440 and any data owners 111nevertheless does not constitute a basis for data consumers 109 to trustorder-of-arrival information for the records at a future date.

In the event that the detection fails, such as additional falsifiedrecords had been added into the block, the damage to trust in theblockchain is limited, because at least the legitimate records retainthe proof for no-later-than date-of-existence. Note that a record beingabsent from a block (e.g., being altered or deleted by the APT), andthus losing its proof for no-later-than date-of-existence, is aneasily-detectable condition by a vigilant data owner 111. The damage insuch a scenario is that the no-later-than date-of-existence is delayeduntil the close-out of a subsequent block.

With more specific reference now to FIG. 12, a set of eight digitalcontent files 1201-1208 are shown. For example, digital content 114 maybe stored as one of digital content files 1201-1208. A record generator1210 generates a set of corresponding records 1211-1218 that eachincludes a message digest for a respective one of digital content files1201-1208, along with other information to improve the utility of therecords. Further information regarding the content of records isprovided in relation to FIG. 15. A record chainer 1220 inserts, intoeach of records 1211-1218, a message digest for the digital content filethat had been received immediately prior, to produce a set of chainedrecords 1221-1228. For example, digital content file 1201 is receivedfirst, and record 1211 is generated for digital content file 1201, witha message digest for digital content file 1201. No record had beengenerated or received earlier, so chained record 1221 has a set ofpadding zeros in the field within chained record 1221, in the field thatis reserved for the message digest for the immediately prior record.

Digital content file 1202 is received, next, after digital content file1201, and record 1212 is generated for digital content file 1202, with amessage digest for digital content file 1202. Chained record 1221 hadbeen generated earlier, so chained record 1222 has the message digestfor chained record 1221 within chained record 1222, in the field that isreserved for the message digest for the immediately prior record.Digital content file 1203 is received, next, after digital content file1202, and record 1213 is generated for digital content file 1203, with amessage digest for digital content file 1203. Chained record 1222 hadbeen generated earlier, so chained record 1223 has the message digestfor chained record 1222 within chained record 1223, in the field that isreserved for the message digest for the immediately prior record. Thiscontinues on, until digital content file 1208 is received after digitalcontent file 1207. Record 1218 is generated for digital content file1208, with a message digest for digital content file 1208. Chainedrecord 1227 had been generated earlier, so chained record 1222 has themessage digest for chained record 1227 within chained record 1228, inthe field that is reserved for the message digest for the immediatelyprior record. In this manner, chained records 1221-1228 are chained intoa record chain 1229.

A block generator 1240 assembles chained records 1221, 1222, and 1223into a block 1241, because they were generated during a blockaccumulation period 1231. Block accumulation period 1231 may be based ona schedule, such as an hour, a number of hours, a day (plus perhaps aweekend or holiday period), or some other criteria, such as a thresholdnumber of records accumulating. See for example, the description ofoperation 926 of FIG. 9, which describes the termination (close-out) ofa block accumulation period.

Similarly, chained records 1224 and 1225 are placed into a block 1242,because they are generated during a block accumulation period 1232, andchained records 1226, 1227, and 1228 are placed into a block 1243,because they are generated during a block accumulation period 1233. Ablock chainer 1250 chains blocks 1241, 1242, and 1243 to created chainedblocks 1251, 1252, and 1253. Block chainer 1250 creates chaining records1261, 1262, and 1263 for chained blocks 1251, 1252, and 1253 bygenerating a message digest for the immediately preceding chained block.In some examples, each of chaining records 1261, 1262, and 1263resembles one of chained records 1221-1228, although with the payloadmessage digest being for the prior chained block, rather than a digitalcontent file. Chaining record 1261 may be largely padded with zeros,since there is not an immediately prior block.

Chaining record 1262 has a message digest for chained block 1251 (or, insome examples a header of chained block 1251), in which the messagedigest calculations include chaining record 1261. Chaining record 1263has a message digest for chained block 1252 (or, in some examples aheader of chained block 1252), in which the message digest calculationsinclude chaining record 1262. This chains each of chained blocks1251-1253 into at least a portion of blockchain 410. In some examples,blockchain 410 uses fixed-size records, with variable-sized blocks. Insuch examples, the sizes of the blocks depend on the number of records(or documents, for which records are generated) arriving during a blockaccumulation period.

FIG. 13 illustrates various options for the multi-tier chaining, forexample relating chained records 1221-1228 with chaining records1261-1263. In an arrangement 1301, chained records 1221-1228 andchaining records 1261-1263 are not interspersed, but instead show twoparallel, independent chains. That is, chained records 1221-1228 are notaltered, their original chaining remains intact, and chaining records1261-1263 are chained directly together, using the field that isreserved for the message digest for the immediately prior record. Forexample, chaining record 1262 has a payload message digest for block1251, but in the field that is reserved for the message digest for theimmediately prior record (i.e., the corresponding field in which chainedrecords 1221-1228 are chained) chaining record 1262 has a message digestfor chaining record 1261. Thus, chaining record 1262 contains a firstmessage digest for block 1251 (the payload), and a second message digestfor chaining record 1261. Similarly, chaining record 1263 contains afirst message digest for block 1252 (the payload), and a second messagedigest for chaining record 1262.

In an arrangement 1302, however, record chain 129 is interwoven withchaining records 1261-1263. That is, chained record 1221 is now chainedto chaining record 1261, using the field that is reserved for themessage digest for the immediately prior record. Chaining record 1262 isinserted between chained record 1223 and chained record 1224. Chainingrecord 1262 still has the same payload (the message digest for block1251), but now has a message digest for chained record 1223 in the fieldthat is reserved for the message digest for the immediately priorrecord. Chained record 1224 now has a message digest for chaining record1262 in the field that is reserved for the message digest for theimmediately prior record (in place of the message digest for chainedrecord 1223). Similarly, chaining record 1263 is inserted betweenchained records 1225 and 1226. If chaining record 1262 is generated(e.g., when block 1251 is closed out) prior to the generation of chainedrecord 1224, that is, chaining record 1262 is generated within thesequence of chaining records 1223 to 1224, then the field of chainingrecord 1224 that is reserved for the message digest for the immediatelyprior record will initially be populated with the message digest forchaining record 1262, and so does not need to be altered or changed.

Similarly, if chaining record 1263 is generated (e.g., when block 1252is closed out) prior to the generation of chained record 1226, that is,chaining record 1263 is generated within the sequence of chainingrecords 1225 to 1225, then the field of chaining record 1225 that isreserved for the message digest for the immediately prior record willinitially be populated with the message digest for chaining record 1263,and so does not need to be altered or changed. Note that, if chainingrecords 1261, 1262, and 1263 are generated at a later time (i.e.,chaining record 1261 is generated after chained record 1221, chainingrecord 1262 is generated after chained record 1224, and chaining record1263 is generated after chained record 1226), then each of chainedrecords 1221, 1224, and 1226 will need to be changed, to substitute themessage digests for chaining records 1261, 1262, and 1263, respectively.This will alter the message digests of each of chained records 1221,1224 and 1226, resulting in a cascading need to re-accomplish the recordchaining prior to closing out each of blocks 1251-1252. In order topreserve the APT detection, described above, it may be preferable totime the generation of chaining records 1261-1263 to occur interspersedwith the generation of record chain 129.

FIG. 14 illustrates various options for deduplication with multi-tierchaining. In the illustrated examples, after generating chained record1222, while block 1251 was still current (i.e., before block 1251 wasclosed), permissioning entity 440 discovered that digital content file1202 was a duplicate of digital content file 1201. Similarly, aftergenerating chained record 1225, while block 1252 was still current(i.e., before block 1252 was closed), permissioning entity 440discovered that digital content file 1205 was a duplicate of digitalcontent file 1204 (or another file). Thus, chained records 1222 and 1225are superfluous, because the payloads of chained records 1222 and 1225appear within earlier chained records. In some examples, deduplicationis performed only within blocks, rather than across blocks. In someexamples, deduplication is not performed, and chained records 1222 and1225 remain.

In some examples, however, chained records 1222 and 1225 are removed.Options exist for the chaining of the subsequent records, chained record1223 and chaining record 1263, respectively. In an arrangement 1401, therecord chaining is simply broken. This may occur if permissioning entity440 decides that the record chaining (during the block accumulationperiods) served its purpose of deterring an APT from disruptingblockchain operations (i.e., generating blockchain 410), and is nolonger needed, because the blocks are still properly chained. However,in an arrangement 1402, the record chaining is updated to compute newmessage digests in order to repair the chain. In the illustratedexample, chained record 1223 has the message digest for chained record1221, and chaining record 1263 has the message digest for chained record1224.

FIG. 15 illustrates various options for record content. An exemplaryrecord 1500 contains the content fields indicated and may representrecord 412 and/or record 414 shown in prior figures. As illustrated,record 1500 has multiple portions, illustrated as grouped into fieldcategories, although it should be understood that some of theillustrated fields are optional, and the order of the fields may vary. Aprimary payload portion 1510 includes a message digest field 1511 havingthe message digest (see FIG. 11 for variations) for the subject digitalcontent, such as digital content 114. A record chaining portion 1520includes a message digest field 1521 having the message digest (see FIG.11 for variations) for the prior record, with the possible exception ofsome or all of administrative field portion 1570, as noted below. Recordchaining portion 1520 also includes a record chain index 1522, which isan index of the current record (not the prior record, for which themessage digest of message digest field 1521 was calculated) in recordchain 1229. Because record chain index 1522 does not reset for eachblock (that a record index 1574, described below, does), record chainindex 1522 may need to be either a larger integer (with a wider bitfield), or else blockchain 410 may need to be able to handle theeventual wrapping of the value of record chain index 1522 around themaximum integer value.

Three additional portions, a data owner fields portion 1530, a datacustodian fields portion 1540, and a permissioning entity fields portion1550 are illustrated having corresponding fields for informationsubmitted by various entities associated with digital content 114 and/orblockchain 410. Multiple types of record link fields are described belowas being useful to locate additional records that may be related to thecurrent record being examined by a data user (e.g., a data owner or adata consumer). However, if records contain only message digests, thenknowledge of only the message digest requires additional data for dataconsumer 109 to determine the significance of the information that isthe subject of that other (linked) record.

In one scenario, data consumer 109 may have access to a large cache ofdocuments, and must determine the message digest for each, in order todetermine which is associated with the chained record. An alternative isthe use of data owner fields portion 1530, data custodian fields portion1540, and/or permissioning entity fields portion 1550 to provide someclues to enable data consumer 109 to locate the document that is thesubject of the chained record. In some examples, data custodian fieldsportion 1540 may be replaced with a certification entity fields portion,or a certification entity fields portion may additional to those shownin FIG. 15.

In some examples, data owner fields portion 1530 includes a data ownerdigital signature field 1531 which may hold the data owner's digitalsignature of the subject digital content (e.g., digital content 114signed by data owner 111), and/or the data owner's digital signature ofother material, such as the message digest (e.g., within message digestfield 1511) of digital content 114. In some examples, data owner fieldsportion 1530 includes a timestamp field 1532 which may hold the dataowner's timestamp for when the subject digital content was created,and/or when data owner 111 created the original record for submission topermissioning entity 440 (e.g., record 1211 of FIG. 12). In someexamples, data owner fields portion 1530 includes an identification ofthe subject digital content in a digital content identification field1533, so that data consumer 109 may be able to locate the digitalcontent that is the subject of record 1500. This may be used when record1500 had been located via searching based on record link fields, as isdescribed below, and data consumer 109 wishes to determine whetherrecord 1500 is for a certification, a certification revocation, or alater version of the subject digital content.

There may be scenarios in which using cleartext file names for somedigital content creates a security risk. In such scenarios, a referencelist may be created, similar to pseudonymization, and the list withheldfrom public distribution. Information enabling location of the digitalcontent (e.g., a file name, date, and or storage path location) isidentified with a random number, and the random number is placed withindigital content identification field 1533. When data consumer 109, withthe proper credentials, identifies record 1500, the list may be used topoint the date user to the subject matter of record 1500. In someexamples, a reserved other field 1534 may be placed in data owner fieldsportion 1530 for additional administrative data and/or as a placeholderfor future (as of yet) unidentified needs.

In some examples, data custodian fields portion 1540 includes a datacustodian digital signature field 1541 (for a data custodian's digitalsignature of information related to record 1500); a timestamp field1542; a digital content identification field 1543; and a reserved otherfield 1544. The fields of data custodian fields portion 1540 may be usedsimilarly to the manner of use described for data owner fields portion1530, if it is expected that a data custodian will supply additionalinformation beyond that supplied by data owner 111. Some examples mayomit data custodian fields portion 1540 in favor of using only dataowner fields portion 1530.

In some examples, permissioning entity fields portion 1550 includes apermissioning entity digital signature field 1551 which may hold thepermissioning entity's digital signature of the subject digital content(e.g., digital content 114), and/or the permissioning entity's digitalsignature of other material, such as record 1500 in the state in whichit was received (i.e., prior to permissioning entity fields portion 1550being populated). In some examples, permissioning entity fields portion1550 includes a timestamp field 1552 which may hold the permissioningentity's timestamp for when record 1500 was received and/or updated(e.g., by populating record link fields described below and/orpopulating permissioning entity fields portion 1550). In some examples,permissioning entity fields portion 1550 also includes an identificationof the subject digital content in a digital content identification field1553, and a reserved other field 1544.

A linking field portion 1560 includes a first versioning link field1561, a second versioning link field 1562, a first certification linkfield 1563, a second certification link field 1564, and other generalrecord link fields 1565-1568. In some examples, other general recordlink fields 1565-1568 contain blockchain addresses of other records (ifany) that are related to record 1500. For example, if the subjectdigital content of record 1500 is a later version of earlier digitalcontent, for which blockchain 410 holds a prior record, versioning linkfield 1561 or 1562 will contain the blockchain address of (or otherpointer to) that earlier record.

With brief reference back to FIG. 4A, when data consumer 109 (e.g.,producer 102 or user 108) examines blockchain 410, and finds record 412(which may be in the format of record 1500) for digital content 114,data consumer 109 may wish to determine whether digital content 114 hasbeen superseded by a later version. Data consumer 109 may then searchlater in blockchain 410 for a mention of the blockchain address ofrecord 412, and find it within versioning link field 1561 of a laterrecord. Data consumer 109 may then determine that at least one laterversion of digital content 114 exists, and repeat this searching processuntil no later records are identified. This versioning information isthen available within blockchain 410, thereby increasing the utility ofblockchain 410 by helping to reduce the likelihood that obsolete digitalcontent will be used. That is, in some examples, blockchain 410 not onlyprovides assurance of the integrity and no-later-than date-of-existenceof digital content 114, but is also able to provide a form of a warningto data consumers 109 when digital content 114 should perhaps not beused.

If the subject digital content of record 1500 has been certified bycertification entity 210 (see FIG. 2A), certification link field 1563 or1564 will contain the blockchain address of a record associated withthat certification event, thereby acting as record link 416 of FIG. 4A.In some examples, a blockchain address may differ, based on whether theaddress is within the same block or a prior block. When referencinganother record in a prior block, the blockchain address may be the blocknumber, plus the index of the record within that block (e.g., a recordindex 1574, described below, but for that other record). The blocknumber may be a simple numerical count of the block within the sequenceof blocks within blockchain 410. When referencing another record in thesame block, the blockchain address may have the same format as whenreferencing another record in a prior block, with the block number beingset to the block number of the same block. During the block accumulationfor that block (i.e., prior to that block being closed out), the numberis the anticipated number, because that block has not yet been added toblockchain 410. In some examples, however, when referencing anotherrecord in the same block, the blockchain address may instead comprise aflag to indicate that the record is within the same block, and therecord index (e.g., record index 1574) but for that other record.

With continued reference back to FIG. 4A, digital content 114 iscertified with certificate 214 by certificate entity 210, and records412 and 414 are generated for digital content 114 and certificate 214,respectively. In this example, both of records 412 and 414 are in theformat of record 1500, having at least certification link field 1563. Ifboth records 412 and 414 are submitted approximately simultaneously,certification link field 1563 in record 412 may be filled in toreference record 414, and certification link field 1563 in record 414may be filled in to reference record 412. If, in an unlikely situationthat record 414 for certificate entity 210 is submitted to permissioningentity 440, and included in a closed-out block prior to the submissionof record 412 for digital content 114, then when record 412 is submittedat a later time, its certification link field 1563 may be populated toindicate the blockchain address of record 414.

However, in the more likely scenario that record 412 for digital content114 is submitted and included in a closed-out block while certificateentity 210 is still studying digital content 114, then when record 414(for certificate 214) is submitted at a later time, its certificationlink field 1563 may be populated to indicate the blockchain address ofrecord 412. When data consumer 109 (e.g., producer 102 or user 108) isexamining blockchain 410, finds record 412 for digital content 114, andwishes to determine whether digital content 114 is certified, dataconsumer 109 may then search later in blockchain 410 for a mention ofthe blockchain address of record 412, and find it within record 414 forcertificate 214. In this way, data consumer 109 is able to identify thatsome associated information (e.g., possibly a certificate or a laterversion) is available—using information contained within blockchain 410,and therefore trusted by data consumer 109.

Fortunately, similar to the versioning information process, dataconsumer 109 may search further in blockchain 410 for a mention of theblockchain address of record 412 or 414. In some scenarios, aftercertification entity 210 has generated certificate 214, submitted record414, and record 414 has been linked with record 412, certificationentity 210 (or another entity) may discover that digital content 114 hada latent problem. Certification entity 210 may then revoke certificate214. However, since record 412 cannot be changed within blockchain 410,a new record for the revocation of certificate 214 may be generated, anda record for that revocation submitted into blockchain, referencingrecord 412 and/or record 414. In this manner, blockchain 410 not onlyprovides data consumers 109 with notice of the certification of digitalcontent, but also is able to alert data consumers 109 when digitalcontent 114 has lost its certification and so should not be used.

In some scenarios, after record 414 for certificate 214 has beensubmitted to blockchain 410, data owner 111 may submit a new record fordigital content 114 that references record 412 in certification linkfield 1563. In some examples, the new record may further referencerecord 412 in certification link field 1563 to reflect that the newrecord is a resubmission for the purpose of establishing a certificationlink (e.g., record link 416). If digital content 114 has multiplecertifications, certification link field 1564 may also be used foranother certification link, although some examples may omit a secondcertification link field. In some examples, there are no dedicatedrecord link fields, and any record link, whether for versioning,certification, or other reasons is placed within some allotted spacewithin linking field portion 1560. Other reasons for linking records areto indicate a relationship between the subject digital content. Forexample, if a particular project includes multiple documents thattogether make a complete package, such that anyone possessing a copy ofone document should also possess the others, then the records for thoseassociated project documents may be linked using other one or more ofother general record link fields 1565-1568.

An administrative field portion 1570 includes a first software versionfield 1571, a second software version field 1572, an administrative datafield 1573, and a record index 1574. In some examples, software versionfield 1571 indicates a version number of the software used to generaterecord 1500, and may, in some examples, also indicate the source of thesoftware. In some examples, software version field 1572 indicates aversion number of other software used for generating data withinblockchain 410. Other administrative data field 1573 contains additionaladministrative information that may be useful to data consumers 109 whoare using blockchain 410 to assess the validity and/or integrity ofdigital content 114.

For example, if record 1500 is used as the record chaining differentblocks (e.g., any of chaining records 1261, 1262, and 1263 of FIG. 12)administrative data field 1573 may contain the block number of the priorblock and/or the block number of the current block. These are the blocknumbers used in the blockchain addresses, for example, as describedabove for record link fields 1561-1568. Record index 1574 is an index,such as the count of the record within the sequence of records withinits same block. In some examples, if a chaining record is the firstrecord appearing within a block, and the record indexing uses 1-basedindexing (rather than 0-based indexing), record index 1574 is set to thevalue of 1. In such examples, the second record within that same blockwill be the first chained record (e.g., one of chained records 1221,1224, or 1225) for referenced digital content (e.g., malicious digitalcontent 124). In some examples, because record index 1574 may bedetermined after record chain 1229 is formed (see FIG. 12), some or allof administrative field portion 1570 for one record may be excluded inthe calculation of the message digest that chains records, and whichappears in message digest field 1521. Some examples use both recordindex 1574 and record chain index 1522. Some examples may use recordindex 1574 for the record chain index value (i.e., record index 1574acts as described above for record chain index 1522 value) until thecurrent block is closed out, and then the record chain index value isreplaced with the block index value in record index 1574.

Referencing now FIGS. 12 and 13, in view of FIG. 15, certain recordfields may be described in further detail. Block 1251 is assigned theblock number 1, and there is no prior block. For chaining record 1261,message digest field 1511 is padded with zeros because there is no priorblock; message digest field 1521 is padded with zeros because there isno prior record; administrative data field 1573 holds a value of 0indicating the prior block number (which does not exist), a value of 1indicating its own block number, and possibly other relevantinformation. The blockchain address of chaining record 1261 (using 8characters for each of the block number and record index 1574) is00000001 00000001.

For chained record 1221, message digest field 1511 has the messagedigest for its subject digital content (e.g., digital content 114);message digest field 1521 has the message digest for chaining record1261, possibly excluding all or some of administrative field portion1570 for chaining record 1261; administrative data field 1573 holdsinformation that is relevant to chained record 1221 and/or the subjectdigital content. The blockchain address of chained record 1221 is00000001 00000002. For chained record 1222, message digest field 1511has the message digest for its subject digital content; message digestfield 1521 has the message digest for chained record 1221 (possiblyexcluding all or some of administrative field portion 1570 for chainedrecord 1221); administrative data field 1573 holds information that isrelevant to chained record 1222 and/or the subject digital content. Theblockchain address of chained record 1222 is 00000001 00000003.

Continuing this scheme, block 1252 is assigned the block number 2. Forchaining record 1262, message digest field 1511 has the message digestfor block 1251, because block 1251 is the subject digital content ofchaining record 1262; message digest field 1521 has the message digestfor chained record 1223 (using arrangement 1302); administrative datafield 1573 holds a value of 1 indicating the prior block number (forblock 1251), a value of 2 indicating its own block number, and possiblyother relevant information. The blockchain address of chaining record1262 is 00000002 00000001. For chained record 1224, message digest field1511 has the message digest for its subject digital content; messagedigest field 1521 has the message digest for chaining record 1262;administrative data field 1573 holds information that is relevant tochained record 1224 and/or the subject digital content. The blockchainaddress of chained record 1224 is 00000002 00000002. This schemecontinues for further records and blocks, building out blockchain 410.

With brief reference back to FIGS. 6A and 13, message digest field 1511of chaining records (e.g., chaining records 1261, 1262, and 1263) mayprovide a portion of publicity element 611 and/or date proof element 641for out-of-band date proof 610. That is, in some examples, out-of-banddate proof 610 advertises the message digests that chain the blocks.Returning now to FIG. 15, it can be appreciated that record 1500 mayeasily grow to lengths of 1 KB or more, depending upon which fields areused, and how long the fields are.

In some examples, record 1500 is stored and distributed as binary data,although in some examples, record 1500 (and the blocks of blockchain410) are stored and distributed as ASCII text files, to facilitateindependent examination by data consumers 109 without requiring specialsoftware. The ASCII encoding typically imposes a penalty of doubling thesize of the stored file (for the same amount of data). In some examples,message digest field 1511 may be 256 bits, and be represented as 64characters (with an 8-bit byte and ASCII encoding), for example if themessage digest is expressed as a SHA-256 message digest (e.g., one ofIVCs 1120, 1140, or 1160 of FIG. 11). In some examples, message digestfield 1511 may be 512 bits, and be represented as 128 characters (e.g.,using the SHA-512) or 768 bits represented as 192 characters if bothSHA-512 and SHA 256 are used to output the final message digest (e.g.,IVC 1120, 1140, or 1160). In some examples, message digest field 1521 isthe same length as message digest field 1511, although in some examples,they may be different lengths.

In some examples, digital signature fields 1531, 1541, and 1551 are 64bits. In some examples, timestamp fields 1532, 1542, and 1552 are 64bits. In general, the size of each of record link fields 1561-1568depends on the number of bits used to represent a blockchain address.Although examples described above used 8 characters to represent boththe block number and record index 1574, some examples my truncate thesenumbers. Permissioning entity 440 (see FIG. 4A) may prefer to stopaccumulating records in a single block prior to reaching 2{circumflexover ( )}64 records. As a result, record index 1574 may be representedusing a shorter set of bits, although using bit fields that are aninteger multiple of 8 may be preferable. In some examples, the set offields used, and their lengths, and even additional fields and padding,are selected to set the length of record 1500 to an integer power of 2,such as 1024, 2048, 4096, or 8192 bits.

Versioning link fields 1561 and 1562 and/or certification link fields1563 and 1564 may be used as illustrated in FIG. 16. In a versioningscenario 1600, a digital content 1601 and a digital content 1602 (eitherof which may be equivalent to digital content 114) are merged into adigital content 1603, in a merge event 1610. Digital content 1603 isrevised, in a revision event 1611, to produce the current version ofdigital content 1604. A record 1621 is generated for digital content1601, and a record 1622 is generated for digital content 1602. Aftermerge event 1610, a record 1623 is generated for digital content 1603.Because digital content 1603 is a merge of digital content 1601 and1602, versioning link fields 1561 and 1562 of record 1623 are populatedwith record links 1633 a and 1633 b, respectively. Record link 1633 apoints to record 1621, for example using the blockchain address ofrecord 1621, and record link 1633 b points to record 1622, for exampleusing the blockchain address of record 1622.

After revision event 1611, a record 1624 is generated for digitalcontent 1604. Because digital content 1604 is a later version of digitalcontent 1603, versioning link field 1561 of record 1624 is populatedwith a record link 1634. Data consumer 109, attempting to locate record1621, may search blockchain 410 to find record link 1633 a, which is areference to (e.g., the blockchain address of) record 1621 within record1623. This is possible, because the blockchain address of record 1621 isknown to data consumer 109. Examining record 1623, data consumer 109 isthen able to find record link 1633 b, which is a reference to record1622. Data consumer 109 may then search blockchain 410 to find recordlink 1634, which is a reference to record 1623 (because the blockchainaddress of record 1623 is known). This enables data consumer 109 toidentify that data content 1601 has later versions (e.g., digitalcontent 1603 and 1604) by using information contained within blockchain410. Similarly, data consumer 109, first finding record 1624 for digitalcontent 1604, is able to determine the pedigree of digital content 1604as being derived from digital content 1601, 1602, and 1603. Pedigreeinformation may have value in some scenarios in which a certain portionof some digital content is known to have particular properties or risksthat are of interest to data consumer 109.

In a certification scenario 1640, a certificate 1642 is created for adigital content 1641 (which may be equivalent to digital content 114),but later revoked in a revocation event 1643, for example when a newsecurity risk is discovered within digital content 1641. A record 1651is generated for digital content 1641, and a record 1652 is generatedfor certificate 1642. Because record 1652 represents a certification ofdigital content 1641, certification link field 1563 of record 1652 ispopulated with a record link 1662 that points to record 1651.

After revocation event 1643, a record 1653 is generated for revocationevent 1643 (e.g., some document generated by certification entity 210).Because revocation event 1643 revokes certificate 1642 for digitalcontent 1641, certification link fields 1563 and 1564 of record 1653 arepopulated with record links 1663 a and 1663 b, respectively. Record link1663 a points to record 1651, for example using the blockchain addressof record 1651, and record link 1663 b points to record 1652, forexample using the blockchain address of record 1652. Record links1621-1624 and 1651-1654 may be equivalent to record link 416.

FIG. 17 illustrates a flowchart 1700 of exemplary operations associatedwith disclosed examples of blockchain operations, for example, renderingblockchain operations resistant to APTs. In some examples, at least aportion of flowchart 1700 may be performed using one or more computingdevices 2600 of FIG. 26. In general, with a sufficiently sophisticatedAPT, detection of the APT may be aided by having reference informationthat is outside the access of the APT, for example on a differentcomputer network. Therefore, if an APT is on computer network 2030 thatpermissioning entity 440 uses to assemble blockchain 410 (see FIG. 20),it may be beneficial to have reference information outside that network.As indicated, certain operations in flowchart 1700 are performed withincomputer network 2030 operated by permissioning entity 440 (e.g.,operations 1702-1728), and some (e.g., operations 1742-1766) areperformed outside computer network 2030 (e.g., on a data owner'scomputer network 2010, see FIG. 20) or in an isolate portion.

A new block is opened at 1702 and certain numbers associated withblockchain 410 are updated, such as the block count, the record count,and the record index (within the current block) are updated. A newchaining record (e.g., chaining record 1262) is generated at 1704, whichwill be used to chain the current (new) block to the prior block (e.g.,chaining record 1262 chains block 1251 to block 1251 in FIG. 13). Thenew chaining record is put into the new block at 1706. This starts thecurrent block accumulation, denoted as operation 1708. Permissioningentity 440 waits for incoming records or digital content at 1710.

In some examples, there are options for growing blockchain 410: Dataowners 111 (e.g., developers 110 of FIG. 1 and/or other entities actingas data owner 111) submit digital content or only message digests (or atleast partially complete records) that represent digital content, whilewithholding the digital content itself. Flowchart 1700 shows bothoptions, and some examples of blockchain operations may permit bothoptions, although some examples may only permit one option or the other.Digital content (e.g., digital content 114) is received at 1712, and arecord is generated for the digital content by either permissioningentity 440, or perhaps data custodian 112 (of FIG. 1), at 1714.Alternatively, the record is received at 1716. The new (or newlyreceived) record is chained to the immediately prior record by insertingthe message digest of the immediately prior record into message digestfield 1521 of the new record, and the message digest for the new recordis calculated (generated). The message digest of the immediately priorrecord is already known due to an earlier iteration of operation 1718for that immediately prior record.

The message digest of the new record is immediately returned to thesubmitter (e.g., data owner 111) at 1742, which places a copy of themessage digest of the new record outside computer network 2030 ofpermissioning entity 440. The purpose of doing this is that, if an APTdoes reside within computer network 2030 of permissioning entity 440,the copy sent to data owner 111 cannot be reached by the APT (unless thedata owner's computer network 2010 hosts a second conspiring APT). Thus,any alteration of records on computer network 2030 of permissioningentity 440 may be detected at a later time (using the data owner's copyof the message digest for the new record), revealing the activity of theAPT on computer network 2030 of permissioning entity 440. In someexamples, at 1762, another copy of the message digest of the new recordis sent to a data archive used by permissioning entity 440, which ishopefully somewhat insulated from an APT that operates on computernetwork 2030 that assembles blockchain 410.

Preferably, even if the APT is able to perform malicious activity (e.g.,altering or deleting records) during the block accumulation period,operations 1712-1718, plus operations 1742 and 1762 occur so rapidlythat the APT is unable to alter the message digest that is sent to dataowner 111 and/or is sent to the insulated data archive. In someexamples, permissioning entity 440 may segment its computer network 2030so that the portion that processes new records has more restrictedaccess than does the portion that assembles and distributes blocks, andupstream communication between the different portions it tightlyconstrained.

The prior record now has the message digest of the new record, and somay be sufficiently complete to append to the currently open block, at1720. In some examples, operation 1720 corresponds to operation 924 ofFIG. 9. Decision operation 1722 determines whether a trigger conditionfor closing the current block accumulation period has occurred, such asa timer, a calendar event, or a threshold number of record haveaccumulated. In some examples, blocks are closed out on a schedule, suchas hourly, daily, or upon the lapse of another set time period. If thetrigger condition has not been met, flowchart 1700 returns to 1710 towait for the next record. What had been the new record will become theimmediately prior record, when the new record arrives.

If the trigger condition has been met, the block accumulation periodends (terminates), as indicated by 1724, and permissioning entity 440closes the current block at 1726 (corresponding to operation 926 of FIG.9). Permissioning entity 440 may then take a copy of the newly-closedblock to an insulated computer network and perform an audit of theportion of record chain (e.g., the portion of record chain 1229) thatappears within the newly-closed block, at 1764. If the audit passes, atdecision operation 1766, the newly-closed block is appended toblockchain 410, which is published at 1728 (corresponding to operation928 of FIG. 9). In some examples, when flowchart 1700 returns tooperation 1702 and then operation 1702, what had been the new recordwill become the immediately prior record for the new chaining record(e.g., chained record 1225 is the immediately prior record to chainingrecord 1263).

If, however, an APT on computer network 2030 of permissioning entity 440had altered records during the block accumulation period, the audit inoperation 1764 may fail and be detected in decision operation 1766.Operation 1750 then detects the possibility of an APT being presentwithin computer network 2030 of permissioning entity 440. Additionally,each data owner 111, who submitted digital content or records that arecovered in the newly published block, may independently perform its ownaudit at 1744, using the message digests received at 1742. If decisionoperation 1746 does not detect failure, no action may be performed (insome examples), although if a failure is detected, operation 1750 hasanother opportunity to detect the possibility of an APT being presentwithin computer network 2030 of permissioning entity 440. Operation 1750includes alerting permissioning entity 440, if necessary.

FIG. 18 illustrates a flowchart 1800 of exemplary operations associatedwith disclosed examples of blockchain operations, for example, usinglinking blockchain records to identify certification, track pedigree,and/or identify superseded digital content. In some examples, at least aportion of flowchart 1800 may be performed using one or more computingdevices 2600 of FIG. 26. Operations 1802-1836 set up records withinblockchain 410 so that data consumer 109 is able to parse up and downblockchain 410 in operations 1840-1848 to identify relevant eventsassociated with some particular digital content that is captured withinblockchain 410. A first record for version 1 of some digital content(e.g., digital content 114) is received at 1802. The digital content iscertified (e.g., by certification entity 210), and record for thecertification (e.g., certificate 214) is received at 1804. In somescenarios, the record for the digital content is published in blockchain410 before the record for the certification is received. In suchscenarios, operation 1806 determines the blockchain address of thedigital content record in a prior block. Operation 1808 annotates therecord for the certification with the blockchain address of the digitalcontent record, thereby linking the two records.

With a brief reference back to FIG. 4A, this may be an example of thegeneration of record link 416 for record 412 (the digital contentrecord) and record 414 (the certification record). In some examples, asecond record for version 1 of the digital content is generated at 1810and linked to the certification record. In some alternative scenarios,operations 1802 and 1804 occur in sufficiently rapid succession thatboth records will appear within the same block. In such alternativescenarios, operation 1806 determines the blockchain address of thedigital content record within the same block, and a second record forthe digital content is not needed because operation 1810 is insteadupdating the first digital content record with a link to thecertification record.

The certification for version 1 of the digital content is revoked, and arecord of the revocation is received at 1812. In order to link therevocation record to the prior certification record and the digitalcontent record(s), the blockchain addresses of these prior records aredetermined at 1814. The revocation record is annotated with theblockchain addresses, thereby linking the revocation record with therecords for the digital content and the certification records at 1816.The linked revocation record is published in blockchain 410, also inoperation 1816. The intent is that, if data consumer 109 looks toblockchain 410 to identify whether some digital content is certified asbeing safe to use, then blockchain 410 should also be configured toalert data consumer 109 when the certification is no longer valid. Thisis described below, for operations 1840-1848.

Version 2 of the digital content is generated, superseding version 1,and a record for version 2 is received at 1818. Supplemental digitalcontent is generated in a version 3, for which a record is received at1820. The records are published in blockchain 410. At some later time,version 2 and version 3 of the digital content are merged, therebyproducing a version 4, at 1822. A record for version 4 of the digitalcontent is received at 1824. In order to link the version 4 record tothe prior version records, the blockchain addresses of the prior versionrecords are determined at 1826. The version 4 record is annotated withthe blockchain addresses of version 1, version 2, and version 3, therebylinking the version 4 record with the records for the earlier versions,at 1828. The linked version 4 record is published in blockchain 410,also in operation 1828. The intent is to configure blockchain 410 toalert data consumers 109 when digital content is superseded, and also topermit data consumers 109 to investigate pedigree of digital content.This is also described below, for operations 1840-1848.

At some later time, version 4 of the digital content is superseded byversion 5 at 1830, and a record for version 5 of the digital content isreceived at 1832. In order to link the version 5 record to the priorversion records, the blockchain addresses of the version 4 record and(optionally) the other prior version records are determined at 1834. Theversion 5 record is annotated with the blockchain addresses of version 4and (optionally) additional versions, thereby linking the version 5record with at least one records for an earlier version, at 1836. Thelinked version 5 record is published in blockchain 410, also inoperation 1836.

When data consumer 109 is planning to use a version of the digitalcontent, in operation 1840, data consumer 109 obtains at least one ofthe records identified in operations 1802-1836. Using the linking fieldsin operation 1842, data consumer 109 is able to locate any prior recordsrelated to the digital content. Based on the starting point, dataconsumer 109 is able to determine the prior versions (e.g., determinethe pedigree), as well as identify that version 1 had been certified atone time, at 1844.

Also, by searching blockchain 410 for any references to the blockchainaddress of any known records (associated with the digital content), inoperation 1846, data consumer 109 is able to locate any later recordsthat link to the known records. This enables data consumer 109 toidentify whether the digital content has been superseded, and alsowhether any certification has been achieved or lost. That is, inoperations 1846 and 1448, data consumer 109 may search within blockchain410 for references to known records, and finding no later records linkedto some digital content, determine that the most recent record is forthe current version of the digital content.

FIG. 19 illustrates a flowchart 1900 of exemplary operations associatedwith disclosed examples of blockchain operations, for example, usingblockchain records with third party digital signatures as a trustelement for high-risk digital content. In some examples, at least aportion of flowchart 1900 may be performed using one or more computingdevices 2600 of FIG. 26. Digital content is generated at 1902, and dataowner 111 (e.g., developer 110) digitally signs it at 1904. A record forthe digital content is generated at 1906, and the data owner's digitalsignature is appended to the record at 1908. Data custodian 112digitally signs the digital content and/or the record at 1910, and thedigital signature(s) of data custodian 112 are appended to the record at1912.

Permissioning entity 440 digitally signs the digital content and/or therecord at 1914, and the digital signature(s) of permissioning entity 440are appended to the record at 1916. Certification entity 210 digitallysigns the digital content and/or the record at 1918, and the digitalsignature(s) of certification entity 210 are appended to the record at1920. The record is published with the digital signatures in blockchain410, at 1922.

At 1924, data consumer 109 obtains a copy of the record, and possibly acopy of the blockchain 410, or at least the block containing the record.Data consumer 109 obtains the public keys of all of the signatories at1926, and verifies the digital signatures at 1928. If any of the digitalsignatures do not match at decision operation 1930, data consumer 109rejects the digital content at 1932. Data consumer 109 should furthergenerate an alert for permissioning entity, developer 110, any otherdata owners 111, and certification entity 216. In some scenarios, dataconsumer 109 may even publicize the digital signature mismatch in orderto trigger further and ongoing attestation of data stored outsideblockchain 410. Otherwise, data consumer 109 has not yet detected areason to reject the digital content, and so performs furtherverification operations on the digital content (e.g., operation 950 offlowchart 900, and operations 1840-1848 of flowchart 1800.

FIG. 20 illustrates an exemplary arrangement 2000 that may performblockchain operations, as disclosed herein, for example in accordancewith FIG. 6A and later figures. In arrangement 2000, permissioningentity 440 also acts as data custodian 112 (see FIG. 1), although itshould be understood that another entity may instead act as datacustodian 112. Arrangement 2000 uses a storage 2038, operated bypermissioning entity 440, as a central data storage solution. Storage2038 is accessed by users who upload data, files or information (e.g.,data owners 111) and users who download such data, files or information(e.g., data consumers 2050). A user may take the role of data owner 111or data consumer 109, interchangeably, and even simultaneously.

In some examples, storage 2038 may be implemented as a cloud solutionand may be portable among various cloud platform solutions. In someexamples, storage 2038 may be implemented as a local (off-cloud) orhybrid solution. In some examples, storage 2038 supports user identitymanagement, such that data owners 111, storage platform administrators(e.g., permissioning entity 440, or data custodian 112), and/or anexternal service assign access and/or visibility permission to dataconsumers 109 for resources on storage 2038.

A permissioning entity utility 2034, which may be hosted on storage2038, or on a different platform, manages generation of blockchain 410.In some examples, permissioning entity utility 2034 is implemented assoftware that runs on data owner's computer network 2030, for example onstorage 2038, or on a separate independent server. In some examples,another entity, not affiliated with storage 2038, may host and maintainpermissioning entity utility 2034. In some examples, blockchain 410 isimplemented using a database that is able to add and query informationfrom blockchain 410. In some examples, storage 2038 is able to store andmaintain transactions (e.g., records) prior to permissioning entity 440committing them to a block. Permissioning entity 440 acts as a centralgatekeeper to accept transactions (e.g., records, see FIG. 12) andcommit them to blockchain 410. In some examples, permissioning entity440 publishes the current state of blockchain 410, from a singletransaction in a single block, up through all transactions across allblocks, through an interface 410 a that is accessible to data owners 111and data consumers 109.

In some examples, permissioning entity 440 permits data owners 111 anddata consumers 109 to access some aspects of permissioning entityutility 2034 through an application programming interface (API). The APIincludes endpoints that enable data owners 111 and data consumers 109 tocarry out protocol steps indicated below. In some examples, thefunctionality of this API includes:

-   -   an ability to register a public key 2013 of a data owner 111        with permissioning entity 440;    -   an ability to view instructions or download software that        locally computes a message digest (e.g., IVC, see FIG. 11) of a        file (e.g., digital content 114), and or to create a record        (e.g., record 1211) for the file (i.e., the software includes a        version of record generator 1210 of FIG. 12);    -   an ability to query storage 2038 for a message digest;    -   an ability to submit trust verification, with a digital        signature protected by a private key 2012 of data owner 111,        that corresponding to registered public key 2013, to certify        that a file uploaded to storage 2038 is actually the file data        owner 111 intended to upload for sharing;    -   an ability to search and retrieve transactions on blockchain 410        that may be present but not yet added as transactions (e.g., not        yet added to an open block);    -   an ability to download a desired amount of information from        blockchain 410;    -   endpoints (subject to compatibility) allowing users to manually        or programmatically upload files to storage 2038;    -   an ability to query registered public key 2013 (associated with        private key 2012 used by data owner 111 to sign the trust        verification); and/or    -   an ability to query a registered public key 2033 of        permissioning entity 440, that is associated with a private key        2038 of permissioning entity 440.

Examples of software capable of performing some of these functions are aclient application 2014 a, executing on computer network 2010 of dataowner 111, and a client application 2014 b, executing on a computernetwork 2050 of data consumer 109. In some examples, client application2014 a and client application 2014 b are the same application, havingthe same functionality, just used differently by different classes ofusers (e.g., data owners versus data consumers). Client application 2014a intakes a file (e.g., digital content 114) and private key 2012 ofdata owner 111, and uses computational capability 2016 in clientapplication 2014 a to generate a digital signature 2020 of data owner111 and a record for the file (e.g., record 1211).

The file (e.g., digital content 114), digital signature 2020, and therecord (e.g., record 1211) are uploaded to storage 2038. In someexamples, permissioning entity 440 also digitally signs the submittedfile and/or the submitted record using private key 2032 of permissioningentity 440, to produce a digital signature 2040. In some examples,permissioning entity 440 generates the record (rather than data owner111) and digitally signs the record. In some examples, permissioningentity 440 uses permissioning entity utility 2034 to generate records,and/or sign items, in addition to constructing blockchain 410. In someexamples, data custodian 112 (in this illustrated case, alsopermissioning entity 440) makes public keys 2013 and 2033 available fordownload by data consumer 109. In some examples, public keys 2013 and2033 are available from a registry, rather than from data custodian 112.

Data consumer 109 obtains the file (e.g., digital content 114) fromstorage 2038, and extracts the record for the file (e.g., chained record1221, which is the chained version of record 1211) from blockchain 410,for example, using interface 410 a. Data consumer 109 may compare theblock containing the record for the file with out-of-band-date proof610, for example, using interface 610 a. Data consumer 109 may alsoobtain digital signature 2020 (of data owner 111), digital signature2040 (of permissioning entity 440), public key 2013 (for data owner 111)and public key 2033 (for permissioning entity 440). Data consumer 109uses computational capability 2018 in client application 2014 b toverify digital signatures 2020 and 2040, and that the file correspondsto the record (e.g., that the message digest of digital content 114 iswithin chained record 1221).

Permissioning entity 440 handles the construction and population ofblockchain transaction entries upon a data owner submitting a file, arecord, and/or trust verification for the file. For example,permissioning entity may populate data owner digital signature field1531 with digital signature 2020 and populate permissioning entitydigital signature field 1551 with digital signature 2040 (see FIG. 15).In some examples, new transactions are created when a user submits trustverification for an updated version of a file that had previously beenuploaded to storage 3032. Permissioning entity 440 may restrict editingof contents of records of open blocks, however, to ensure configurationcontrol and quality of blockchain 410. In some examples, permissioningentity 440 uses access control measures to authenticate users, and limitsubmissions to blockchain 410 and access to API functions that lead totransaction creation. In some examples, permissioning entity 440communicates with data owner 111, data consumer 109, and any remotenodes (e.g., when storage 2038 is stored in a cloud location), usingencryption. In some examples, however, despite strict controls on whomay contribute to blockchain 410 and/or access storage 2038, blockchain410 itself, and out-of-band date proof 610 are available for publicinspection and examination.

In some examples, blockchain 410 is implemented as a relationaldatabase, a NoSQL database, a graph database, as a binary file, as aflat text file, or as another structured or unstructured data file. Insome examples, actions on the database are verified for correctness informat and data contents by permissioning entity 440. In some examples,the database contains of blocks of transactions created on a regularbasis by permissioning entity 440 (e.g., at the end of blockaccumulation periods 1231, 1232, and 1233 of FIG. 12). In some examples,transactions created but not yet composed into a block are securelystored by permissioning entity 440 in storage 2038. In some examples,such transactions are chained together by including a message digest ofthe prior transaction processed (e.g., in record chain 1229). In someexamples, chained, timestamped transactions, not yet committed to ablock, are configured to provide ready indications of tampering by aninsider threat or an APT (e.g., APT 2060) that may be lurking withincomputer network 2030, but not yet detected by permissioning entity 440.

Example protocol implementations may include data upload and trustverification, queueing and protecting unblocked transactions, creatingblocks, trust verification check for unblocked transactions, trustverification check for blocked transactions, trust verification checkfor blocked transactions, retrieving the public blockchain record, andverifying the integrity of the blockchain. Examples of these protocolsare described below:

Data Upload and Trust Verification: When uploading a file, a user firstauthenticates to storage 2038 and to permissioning entity utility 2034.For example, data owner 111 uploads a file to storage 2038 throughavailable means, such as over network 130. Data owner 111 computes, on alocal copy of the file, a message digest using a hash function that isresistant to pre-image attacks. Data owner 111 then downloads the filehosted on storage 3032. Data owner 111 computes the message digest ofthe downloaded file and verifies that the message digests are identical.Once complete, data owner 111 validates that the file on storage 3032 isactually the file intend for sharing, and that the file as downloaded isequivalent to the file uploaded based on the message digest match. Aftervalidation, data owner 111 submits digital signature 220 (using privatekey 2012) to permissioning entity 440. Permissioning entity 440 composesa transaction that includes the event timestamp, links it to theprevious transaction and queues the transaction for inclusion in ablock.

Queueing and protecting unblocked transactions: Transactions awaitinginclusion in in a block are in the queue of permissioning entity 440.Queued transactions may be managed by some of the following protocols.Creating blocks: During regular intervals (e.g., block accumulationperiods), queued transactions are loaded into a block. A block mayinclude a variable number of records, with a minimum of one record, thechaining record that chains a newly-closed block to the prior block.Periodic blocking of a collection of transactions is preferable toblocking one transaction at a time because is facilitates independent,external validation. For example, a single out-of-band date proof 610establishes a no-later-than date-of-existence of the item for which itcontains the message digest. It may be impractical to create anout-of-band date proof 610 for each of thousands of items. Thus, ifmessage digests for the thousands of items are contained within a singleblock, and the message digest for that block is within out-of-band dateproof 610, verification of any one of the items requires only twomessage digest calculations—no matter how many items are represented bythe block. That is, data consumer 109 does not need to attemptreconstructing the entirety of record chain 1229, going back thousandsof records, but instead needs to compute only the message digest for theitem of interest and the message digest for the block. A block maycontain chained transactions that had been queued during the blockaccumulation period, along with chaining records. Upon close-out of ablock the queued transactions may be removed from the queue, to startthe queue over with the next batch of incoming transactions.

Trust verification check for unblocked transactions: Data consumer 109verifies the trustworthiness of a file downloaded from storage 2038 bycomparing the message digest of the file against the message digestpresent in an unblocked transaction managed by permissioning entity 440.Data consumer 109 queries permissioning entity utility 2034 to fetch thetransaction corresponding to the file. In some examples, data consumer109 alternatively requests from permissioning entity utility 2034 thecollection of all not yet blocked transactions. Data consumer 109 thenverifies that the computed message digest of the file matches themessage digest of the file stored in the transaction. Data consumer 109obtains public key 2013 of the alleged data owner (data owner 111, whoseidentity may not yet be trusted by data consumer 109) that is marked inthe transaction. Data consumer 109 uses public key 2013 to verify thatthe trust signature of the file was placed by the genuine data owner.

Trust verification check for blocked transactions: Data consumer 109verifies the trustworthiness of a file downloaded from storage 2038 bycomparing the message digest of the file against the message digestpresent in an unblocked transaction managed by permissioning entity 440.Data consumer 109 queries permissioning entity utility 2034 to fetch thetransaction corresponding to the file. In some examples, data consumer109 alternatively requests from permissioning entity utility 2034 thecollection of all not-yet-blocked transactions. Data consumer 109 thenverifies that the computed message digest of the file matches themessage digest of the file stored in the transaction. Data consumer 109obtains public key 2013 of the alleged data owner that is marked in thetransaction. Data consumer 109 uses public key 2013 to verify that thetrust signature of the file was placed by the genuine data owner.

Retrieving the public blockchain record: Data consumer 109 or data owner111 sends a request from client application 2014 a or 2014 b usingquerying capability of the client function (e.g., computationalcapability 2016 or 2018). This request is sent to permissioning entityutility 2034 which retrieves blockchain 410 (or a specifically-requestedportion of blockchain 410) stored in storage 2038, and packages therequested data into a data interchange format. The interchange formatmay be JavaScript Object Notation (JSON), comma-separated value (CSV)file, flat text, binary or other form. The packaged blockchain is sentback to client application 2014 a or 2014 b and stored locally on dataowner's computer network 2010 or data consumer's computer network 2050.

Verifying the integrity of the blockchain: After blockchain 410 (or aportion) is retrieved and stored locally, or if blockchain 410 is beingviewed using a web interface, data consumer 109 may use out-of-band dateproof 610, which is externally published and managed, to verify that themessage digest published in out of band proof 610 matches an independentcalculation that is performed by data consumer 109. This verifies fordata consumer 109 that the message digest being viewed locally has thesame value as what everyone else should see. Data consumer 109 may thenuses the locally stored copy of blockchain 410, as needed, for exampleto verify the integrity of additional data sets that had been registeredin blockchain 410. In some examples, computational capability or 2018(or computational capability 2016 for data owner 111) recalculates everymessage digest used to link blocks of blockchain 410. In some examples,computational capability or 2018 (or computational capability 2016 fordata owner 111) also recalculates message digests used to link recordswithin blocks of blockchain 410. If a message digest independentlycalculated by data consumer 109 (or data owner 111) does not match thecorresponding message digest in blockchain 410, this is a signal thatthe copy of blockchain 410 may not be correct (i.e., the integrity ofthe copy blockchain 410 has been compromised) and so is invalid.

If, however, if the local copy blockchain 410 has been verified againstout-of-band date proof 610, client application 2014 a or 2014 b uses itsquerying capability to send a request to permissioning entity utility2034 to retrieve various blocks and their message digests (which arealso stored in the subsequent blocks) from a centrally hosted copy ofblockchain 410 (located on permissioning entity's computer network 2030,or elsewhere). Client application 2014 a or 2014 b verifies that thereturned message digests from the centrally hosted copy of blockchain410 match those independently calculated (generated) by data consumer109 (or data owner 111) using the local copy of blockchain 410. If thesevalues all match, data consumer 109 (or data owner 111) has some levelof confidence that their local copy of blockchain 410 matches thecentrally hosted copy of blockchain 410. If the values do not match,data consumer 109 (or data owner 111) becomes aware of a potential errorin either their local copy of blockchain 410 or the centrally hostedcopy of blockchain 410, and may contact permissioning entity 440 toalert permissioning entity 440.

In some examples, the mismatch between message digests independentlycalculated by data consumer 109 and message digests retrieved by dataconsumer 109 from across network 130 may occur due to the effect of APT2060 on computer network 2030 (as-yet undetected by permissioning entity440) or because data consumer 109 had retrieved a copy of spoofedblockchain 420. It is here that out-of-band date proof 610 providesvalue, be assisting data consumer 109 in ascertaining which scenario ismore likely. If out-of-band date proof 610 matches the independentlycalculated message digests, APT 2060 may be operating on computernetwork 2030. If, however, out-of-band date proof 610 matches thoseprovided over network 130, data consumer 109 may have instead retrievedspoofed blockchain 420 (rather than a legitimate copy of blockchain410).

Centrally managed blockchain 410 enables those who have sharedinformation, and others who are arbitrators of information, to applysecure signatures attesting to information authenticity (origin) andveracity (correctness). Using public/private key encryption technologyas barriers to forgery, signatures may be cryptographically verified byothers. This blockchain approach solves the problem of determining thelevel of trust to place in information and data that are shared throughthird-party repositories. Considering current cloud-based examples,information that is shared through such services may carry the name of apurported sharing entity (e.g. a user name or other sourceidentification). However, outside the use of a blockchain, attempt toverify that the retrieved information and data had not been forged maybe burdensome or incomplete. Further, mechanisms for sharing parties toverify that their uploaded information and data has not been altered orreplaced (either intentionally or accidentally), by the data sharingservice, may also be burdensome or incomplete. Solutions disclosedherein solve these challenges. Those who share information may nowdigitally attest to the correctness of the information on a data sharingplatform, by signing data as a proclamation: “This shared informationwas verified to be correct, complete, and is exactly the information Iintended to share”. Information consumers may use the digital signaturesto ascertain the sharing entity's intent, to verify that theauthenticity of the data sharer, and to further impart confidence in theinformation by reviewing additional signatures applied by informationarbiters. This establishes a level of trust in shared data that may beuseful for sensitive information and when parties sharing and consuminginformation have not established a mutually-trusted data exchangechannel.

FIG. 21 illustrates a stratified and segmented storage solution 2100suitable for use with various classification levels of information thatis all registered with blockchain 410. A plurality of data owners 111a-111 g register their digital content with blockchain 410, even thoughthe digital content itself may have distribution limitations. Acommunity 2120 of data consumers 109 a-109 g and data owners 111 a-111 gall may access blockchain 410, and are each able to identify forgeryattempts of any blocks or records in blockchain 410 (e.g., by checkingmessage digests), even though of data consumers 109 a-109 g are unableto actually receive all of the digital content registered withblockchain 410. This example demonstrates an advantageous aspect ofoff-chain storage, in which in the blockchain does not contain contentfrom the digital content files.

Storage solution 2100 has a public tier 2038 p that stores informationthat is publicly available, without distribution limitation. Althoughpublic tier 2038 p is illustrated as being within storage 2038 (which isoperated by permissioning entity 440), public tier 2038 p may be largerthan merely what is within storage 2038, and may extend outside thecontrol of permissioning entity 440. A controlled unclassifiedinformation (CUI) tier 2038 u is segmented into segment 2102 a andsegment 2102 b, based on the types of information (e.g., personalidentifiable information (PII), a.k.a. personal information (PI), orproprietary information). This permits selective access to informationby data consumers 109 a-109 g, according to the type of information.Thus, storage 2038 is stratified and segmented according to accesslimitations.

A confidential tier (C tier) 2038 c holds information that is classifiedat the confidential level, in different segments (e.g., segment 2104 a,segment 2104 b, and segment 2104 c), to permit selective access toinformation by data consumers 109 a-109 f, according to the type ofinformation. A secret tier (S) tier 2038 s holds information that isclassified at the secret level, in different segments (e.g., segment2106 a, segment 2106 b, segment 2106 c, and segment 2106 d), to permitselective access to information by data consumers 109 a-109 f, accordingto the type of information. A top secret (TS) tier tier 2038 t holdsinformation that is classified at the top secret level, in differentsegments (e.g., segment 2108 a, segment 2108 b, segment 2108 c, andsegment 2108 d), to permit selective access to information by dataconsumers 109 a-109 d, according to the type of information. A sensitivecompartmented (SC) tier 2038 i holds information that is concerning orderived from sensitive intelligence sources, methods, or analyticalprocesses, in different compartments (e.g., segment 2110 a, segment 2110b, segment 2110 c, and segment 2110 d), to permit selective access toinformation by data consumers 109 a and 190 b. A special access (SA)segment 2112 holds information that is subject to special accessrequirements, and which itself may be at different classification tiers,such as an SC segment 2110 e, a TS segment 2108 e, and a S segment 2106e. In some examples, different hardware storage solutions are used forthe different tiers and segments.

In operation, data owner 111 a and data owner 111 b are permitted towrite to any segments in SC tier 2038 i, TS tier 2038 t, S tier 2038 s,C tier 2038 c, and CUI tier 2038 u for which they have privileges, andalso public tier 2038 p. Any of the digital content written by dataowners 111 a and 111 b to those storage locations may be registered, viarecords, in blockchain 410. Data consumer 109 a and data consumer 109 bare permitted to read from any segments in SC tier 2038 i, TS tier 2038t, S tier 2038 s, C tier 2038 c, and CUI tier 2038 u for which they haveprivileges, and also public tier 2038 p. Data owner 111 c and data owner111 d are permitted to write to any segments in TS tier 2038 t, S tier2038 s, C tier 2038 c, and CUI tier 2038 u for which they haveprivileges, and also public tier 2038 p. Any of the digital contentwritten by data owners 111 c and 111 c to those storage locations may beregistered, via records, in blockchain 410. Data consumer 109 c and dataconsumer 109 d are permitted to read from any segments in TS tier 2038t, S tier 2038 s, C tier 2038 c, and CUI tier 2038 u for which they haveprivileges, and also public tier 2038 p.

Data owner 111 e and data owner 111 f are permitted to write to anysegments in S tier 2038 s, C tier 2038 c, and CUI tier 2038 u for whichthey have privileges, and also public tier 2038 p. Any of the digitalcontent written by data owners 111 e and 111 f to those storagelocations may be registered, via records, in blockchain 410. Dataconsumer 109 e and data consumer 109 f are permitted to read from anysegments in S tier 2038 s, C tier 2038 c, and CUI tier 2038 u for whichthey have privileges, and also public tier 2038 p. Data owner 111 g ispermitted to write to only public tier 2038 p, and register the digitalcontent in blockchain 410. Data consumer 109 g is permitted to read fromonly public tier 2038 p.

As indicated, a record generator 1210 is available in multiple locationsto permit data owners 111 a-111 g to create their own records fordigital content. This permits permissioning entity 440 to accept recordsand include them within blockchain 410, even when permissioning entity440 does not store the digital content. That is, three modes ofoperation are available: (1) permissioning entity 440 receives digitalcontent and generates records for blockchain 410; (2) permissioningentity 440 receives only records for inclusion in blockchain 410, butdoes not receive the digital content itself, or (3) permission entity440 receives the digital content for storage and also receives recordsthat had been generated by the data owners.

All of data owners 111 a-1116 may access blockchain 410 to verify thatrecords corresponding to stored (or otherwise registered) digitalcontent appear within blockchain 410. Similarly, all of data consumers109 a-109 g (and in some examples, even the general public) may alsoaccess the entirety of blockchain 410, despite access limitations on thedigital content itself. This scheme enlarges community 2120 (dataconsumers 109 a-109 g and data owners 111 a-111 g) that is able toidentify forgery attempts of any blocks or records in blockchain 410. Incontrast, a blockchain that uses on-chain storage must be limited indistribution to only data owners and data consumers who have access tothe digital content, curtailing the size of the community that is ableto detect forgery attempts.

An access control 2114 authenticates each of data owners 111 a-111 g anddata consumers 109 a-109 g to selectively permit accessing variousportions of storage solution 2100 (or storage 2038) by tier and segment,and may also log access events such as writing and reading. In someexamples, access control 2114 requires stricter levels of authenticationfor more restricted access conditions (e.g., higher classification leveltiers or SA segment 2112). For example, little (if any) control may berequired for reading from public tier 2038 p (although writing to publictier 2038 p may be more strictly controlled to prevent malicious orcareless parties from bloating public tier 2038 p with material that isnot registered in blockchain 410), whereas a hardware token may berequired for reading from C tier 2038 c and higher tiers (e.g., 2038 s,2038 t). In some examples, SC tier 2038 i, SA segment 2112, and anyother storage not controlled by permissioning entity 440 may have aseparate access control solution.

FIGS. 22-25 illustrate flowcharts of exemplary operations associatedwith disclosed examples of blockchain operations. Specifically, FIG. 22illustrates a flowchart 2200 of assembling blocks of blockchain 410;FIG. 23 illustrates a flowchart 2300 of verifying the integrity of arecently closed block prior to chaining it to blockchain 410; FIG. 24illustrates a flowchart 2400 of actions by data owner 111 whensubmitting a record or digital content 114 for registration inblockchain 410; and FIG. 25 illustrates a flowchart 2500 of actions bydata consumer 109 when using blockchain 410 to ensure integrity ofdigital content 114. Flowcharts 2200, 2300, 2400, and 2500 all operatein an ongoing cooperative manner, in parallel. In some examples,flowcharts 2200, 2300, 2400, and 2500 show processes that are equivalentto, and/or have corresponding operations as flowcharts 900, 1700, 1800,and 1900, and message sequence diagram 1000. That is, disclosedblockchain operations may reference enumerated operations from among anymixed set of the flowcharts and message sequence diagram shown herein.In some examples, at least a portion of each of flowcharts 2200, 2300,2400, and 2500 may be performed using one or more computing devices 2600of FIG. 26.

Turning first to FIG. 22, flowchart 2200 may be performed bypermissioning entity 440, in some examples. Operation 2202 starts ablock accumulation period (e.g., block accumulation period 1231), andsubsequent operations 2204-2230 occur during the block accumulationperiod. Operation 2204 includes receiving a plurality of records in asequence, each record of the plurality of records respectivelycomprising a record for a digital content file and including a messagedigest for the digital content file. In some examples, a data owner(e.g., data owner 111) submits the record directly, and not the digitalcontent. In such examples, receiving the record for the digital contentfile may further comprises receiving the digital signature of thedigital content file by the data owner of the digital content file(i.e., the record arrives with the date owner's digital signature). Inother examples, however, operation 2204 is accomplished via operations2206-2212.

Operation 2206 includes receiving the digital content file, operation2208 includes storing the digital content file as a stored digitalcontent file, and operation 2210 includes generating, for the digitalcontent file, the message digest that is included within the record forthe digital content file. In some examples, the initial record in a newblock is the record for the preceding block (see FIGS. 13 and 14 andtheir descriptions). In some examples, the message digest comprises atleast a portion of a SHA function message digest. In some examples, themessage digest comprises at least a portion of a first message digestfrom a first hash function and at least a portion of a second messagedigest from a second hash function. In some examples, the message digestcomprises a first message digest for a concatenation of the digitalcontent file with a second message digest for the digital content. Insome examples, the message digest comprises a portion, less than theentirety, of a message digest from a hash function.

Operation 2212 includes receiving the digital signature of the digitalcontent file by the data owner of the digital content file. This is theoutput of operation 2418 of flowchart 2400. The entity that generatesthe blockchain (e.g., permissioning entity 440) verifies the dataowner's digital signature as 2214. There are options for the dataowner's digital signature: the data owner may sign the message digest orthe digital content itself. Thus, some examples of operation 2214include verifying that the message digest for the digital content filewithin the record for the digital content file matches anindependently-generated message digest for the digital content file.Decision operation 2216 determines whether there is a match. If there isno match, the record is rejected in operation 2218, and not included inthe block. Otherwise, the entity that generates the blockchain(permissioning entity 440) digitally signs the record at 2220. Operation2220 includes, based on at least the message digest for the digitalcontent file within the record for the digital content file matching theindependently-generated message digest for the digital content file,inserting a digital signature of the digital content file by the entitythat generates the blockchain into the record for the digital contentfile.

To accomplish this, operation 2220 includes generating a digitalsignature of the digital content file by the entity that generates theblockchain (or in some cases, the record chain). In some examples,operation 2220 includes, prior to generating a digital signature of thedigital content file by the entity that generates the blockchain,verifying that the message digest for the digital content file withinthe record for the digital content file matches anindependently-generated message digest for the digital content file. Insome examples, operation 2220 includes, prior to generating the digitalsignature of the digital content file by the entity that generates theblockchain, verifying the digital signature of the digital content fileby the data owner of the digital content file.

The records may include digital signatures of not only the data ownerand/or the permissioning entity (the entity that generates theblockchain), but also a digital certification entity's signature (e.g.,certification entity 210). The certification entity signs the record inoperation 2222. Operation 2222 includes inserting a digital signature ofthe digital content file by a certification entity into the record forthe digital content file. In some examples, at least one record of theplurality of records further includes, in addition to the message digestfor the digital content file and the message digest for the earlierrecord, a digital signature of the digital content file by a data ownerof the digital content file, and/or a digital signature of the digitalcontent file by an entity that generates the blockchain. In someexamples, at least one record of the plurality of records furthercomprises a digital signature of the digital content file by acertification entity, indicating that the digital content file has beenexamined for trustworthiness. In some examples, at least one record ofthe plurality of records further comprises a certification linking fieldindicating, by its position within the record for the digital contentfile that, when the certification linking field references anotherrecord, the digital content file comprises at least one file selectedfrom the list consisting of: a certification for another digital contentfile, a revocation of certification for another digital content file,and content for which another digital content file providescertification, wherein the reference to the other record comprises ablockchain address of a record for the first prior-version digitalcontent file. Alternatively, certification may be indicated by aseparate record (e.g., record 414 of FIG. 4A).

The records may also include timestamps (see FIG. 15). In some examples,at least one record of the plurality of records further comprises adigital content timestamp indicating a time for the digital contentfile. In some examples, at least one record of the plurality of recordsfurther comprises a record timestamp indicating a time for the recordfor the digital content file. In some examples, the digital contenttimestamp is included within a digital signature by the data owner. Insome examples, the record timestamp is included within a digitalsignature by the data owner. In some examples, the record timestampindicates a time of the receiving of the record.

The records may also include linking fields (see FIGS. 15 and 16). Insome examples, at least one record of the plurality of records furthercomprises a first linking field indicating, by its position within therecord for the digital content file that, when the first linking fieldreferences a first other record, the digital content file comprises alater version of a first prior-version digital content file, wherein thefirst other record comprises a record for the first prior-versiondigital content file. In some examples, the reference to the first otherrecord comprises a blockchain address of a record for the firstprior-version digital content file. In some examples, the blockchainaddress comprises an index of the record for the prior-version digitalcontent file within a block in which the record for the prior-versiondigital content file appears. In some examples, at least one record ofthe plurality of records further comprises a second linking fieldindicating, by its position within the record for the digital contentfile that, when the first linking field references the first otherrecord and the second linking field references a second other record,the digital content file comprises a merge of the first prior-versiondigital content file and a second first prior-version digital contentfile, wherein the second other record comprises a record for the secondprior-version digital content file. In some examples, the block in whichthe record for the prior-version digital content file appears is theblock in which the record for the digital content file appears. In someexamples, the block in which the record for the prior-version digitalcontent file appears is earlier within the blockchain than the block inwhich the record for the digital content file appears.

Operation 2224 includes chaining the plurality of records using messagedigests, to produce a record chain. Chaining records comprises insertinga message digest for an earlier record into a subsequent record. In someexamples, the subsequent record is the immediately subsequent record. Insome examples, chaining the received plurality of records compriseschaining the received plurality of records according to the sequence ofreceiving, to produce a record chain. Operation 2226 includes, duringthe block accumulation period in which the record for the digitalcontent file is received, transmitting, over a network, to a data ownerof the digital content file, a message digest of the record for thedigital content file that is used for chaining a record subsequent tothe record for the digital content file to the record for the digitalcontent file in the record chain. The output of operation 2226 is aninput to operation 2422 of flowchart 2400. Operation 2228 includesappending the plurality of records into a currently open block of ablockchain. In some examples, the first record in an open block is theoutput of operation 2318 of flowchart 2300. Appending the plurality ofrecords into the currently open block comprises appending the recordchain into the currently open block.

Decision operation 2230 determines whether a trigger condition hasoccurred to end the block accumulation period, such as the date, time ofday, or reaching an accumulated number of records. Upon the end of theblock accumulation period, operation 2232 includes closing the currentlyopen block to additional records, rendering the currently open blockinto a closed block, and triggering the start of a cycle of flowchart2300 (of FIG. 23). Operation 2234 includes opening a new current blockinto which a future plurality of records may be appended. Flowchart 2200returns to operation 2202 to iterate for the next block. Flowchart 2200remains ongoing, triggering flowchart 2300 at the end of each blockaccumulation period.

Turning now to FIG. 23, showing flowchart 2300 (which may also beperformed by permissioning entity 440, in some examples), operation 2302includes verifying that the record chain has not been altered. This isaccomplished by iterating operations 2304 and 2306 along the recordchain. Operation 2304 includes generating new message digests forrecords within the record chain; and operation 2306 includes comparingthe new message digests with message digests in subsequent records thatare used for chaining records in the record chain. (See FIG. 15,specifically message digest field 1521). Decision operation 2310determines whether the record chain is intact (i.e., no mismatches).

If the record chain is not intact, this may be due to the presence of anAPT operating on computing network 2030, but may also be due tonon-malicious causes, such as data or record errors. The failure ifdiagnosed in operation 2310, which may also include remedying the sourceof errors and restarting operation 2302 with a rebuilt record chain.

If the record chain is intact, operation 2312 includes chaining theclosed block to the blockchain, wherein chaining blocks to theblockchain comprises inserting a message digest for an earlier block(the recently closed block) into a subsequent block. In some examples,the subsequent block is the immediately subsequent block. Operation 2312may be accomplished using operations 2314-2318. Operation 2314 includesgenerating a record for the closed block (the earlier block than thenow-current block). The record for the earlier block includes a messagedigest for the earlier block. In some examples, the record for theearlier block includes a digital signature of the earlier block by theentity that generates the blockchain. Operation 2316 includes appendingthe record for the closed block into the record chain. In some examples,this includes inserting the record for the earlier block (the closedblock) into the record chain, so that the record for the earlier blockfurther includes a message digest of a final record of the record chainwithin the earlier block. In this manner, the record chain provides afirst chaining tier and chaining the multiple blocks provides a secondchaining tier.

Operation 2318 includes inserting the record for the earlier block intothe subsequent block. This ties flowchart 2300 back to flowchart 2200,because the output of operation 2318 of flowchart 2300 is an input tooperation 2228 of flowchart 2200. Operation 2320 includes generating,for the closed block, an out-of-band date proof, the out-of-band dateproof comprising a message digest for the closed block that is used forchaining a block subsequent to the closed block to the closed block inthe blockchain.

The current copy of the blockchain, with the new block, is published inoperation 2322 for public inspection. This enables flowcharts 2400 and2500 to run with the new blockchain version, specifically operation 2424of flowchart 2400. The out-of-band date proof is publicized in operation2324. Flowchart 2300 then iterates operations 2302-2320 in parallel withthe iteration of flowchart 2200, while flowcharts 2400 and 2500 operateon an as-needed basis for data owners and data consumers.

FIG. 24 shows flowchart 2400, which is performed by data owners (e.g.,data owner 111), except for final operation 2434. Operation 2302includes generating or obtaining digital content (e.g., digital content114). Operation 2404 includes generating a message digest for thedigital content file. There are two options for the data owner. The dataowner may either generate the record and submitting it (operation 2420,below) or submitting the digital content as a digital content file sothat permissioning entity 440 generates the record (operations2406-2418).

With the digital content submission option, operation 2406 includessubmitting the digital content as a digital content file. This is theinput to operation 2206 of flowchart 2200 (not shown on flowchart 2200due to space constraints). Operation 2408 includes retrieving, over anetwork, by the data owner, the stored digital content file. This occursafter operation 2208 of flowchart 2200 (also not shown on flowchart 2200due to space constraints). Operation 2410 includes generating a messagedigest for the retrieved stored digital content file, and decisionoperation 2412 includes comparing message digests from operations 2304and 2308. If there is not a match, the data owner alerts thepermissioning entity as part of operation 2414. This condition indicatesthat there may be errors or an APT in permissioning entity's system.Otherwise, the data owner digitally signs the digital content file orthe message digest of the digital content file, in operation 2416. Thedata owner's digital signature is submitted in operation 2418, which isan input to operation 2212 of flowchart 2200.

Alternatively, the data owner holds the digital content itself (whichmay be the case for certain information, as indicated in FIG. 21), andoperation 2420 includes submitting the record for the digital content tothe permissioning entity. In some cases, the record for the digitalcontent (submitted by the data owner) contains a digital signature bythe data owner of the digital content file or the message digest of thedigital content file.

When flowchart 2200 reaches operation 2226 and transmits the messagedigest for the completed record (the same message digest that is used inthe record chain), the data owner receives the message digest inoperation 2422. Operation 2422 includes receiving, by the data owner ofthe digital content file, the transmitted message digest. When flowchart2300 reaches operation 2322, and the new version of blockchain 410 ispublished, the data owner retrieves the blockchain in operation 2424.Operation 2424 includes retrieving, over the network, a copy of at leasta portion of the blockchain, the portion of the blockchain comprisingthe closed block in which the record for the digital content file isincluded.

Operation 2426 includes identifying, within the blockchain, the recordfor the digital content. Decision operation 2428 includes comparing thetransmitted message digest with the message digest within the record forthe digital content file within the closed block that is used forchaining the record subsequent to the record for the digital contentfile to the record for the digital content file. If there is a match,the data owner may confirm this to the permissioning entity in operation2430, or may just note that the integrity proof for the digital contentis proceeding properly. Otherwise, operation 2432 includes, responsiveto a mismatch between the transmitted message digest with the messagedigest within the record for the digital content file within the closedblock that is used for chaining the record subsequent to the record forthe digital content file to the record for the digital content file,generating an alert for the entity that generates the blockchain and/oran entity that generates the blockchain. In operation 2434, thepermissioning entity diagnoses the cause of the mismatch, possiblyidentifying the presence of an APT (e.g., APT 2060).

FIG. 25 shows flowchart 2500, which is performed by data consumers(e.g., data consumer 109). Operation 2524 includes retrieving, by a dataconsumer, a copy of the digital content. In some examples, the digitalcontent is retrieved from storage 2038; in some examples, it isretrieved directly from a data owner. Operation 2504 includes generatinga message digest for the retrieved stored digital content file.Operation 2506 includes retrieving, over a network, by a data consumer,a copy of at least a portion of the blockchain, the portion of theblockchain comprising the closed block in which the record for thedigital content file is included. Operation 2508 includes identifying,within the blockchain, the record for the digital content. Decisionoperation 2510 determines whether the message digest found in the recordfor the digital content matches the message digest computed by the dataowner in operation 2504. That is, operation 2510 includes comparing thegenerated message digest for the retrieved stored digital content filewith the message digest for the digital content file within the recordfor the digital content file within the closed block.

If there is a mismatch, the data consumer should alert the permissioningentity, the data owner, and publicizes the failure to warn others thatthe downloaded digital content may not be trustworthy. Additionally, thedata consumer should reject the digital content, and not use it. Thisoccurs in operation 2512. Otherwise, the data consumer proceeds tooperation 2514 to verify the integrity and no-later-date-of-existence ofthe block. Operation 2514 includes operations 2516 and 2518. Operation2516 includes generating a message digest for the retrieved closedblock, and operation 2518 includes retrieving the out-of-band date proofcomprising a message digest for the closed block. A decision operation2520 determines whether the message digest calculated in operation 2516matches the out-of-band date proof (e.g., out-of-band-date proof 610) bycomparing the generated message digest for the retrieved closed blockwith the message digest from the out-of-band date proof. A mismatchdirects flowchart 2500 to operation 2512.

Otherwise, with the independently-calculated message digest of the blockmatching the message digest found in the out-of-band date proof, and theindependently-calculated message digest of the digital content matchingthe message digest found in the record within the block, the dataconsumer may have confidence that the digital content has ano-later-than date-of-existence as of the date of out-of-band dateproof. At this point, the data consumer may wish to check the digitalsignatures. For example, data consumer 109 may wish to verify digitalsignature 2020 (of data owner 111) using public key 2013 (for data owner111), digital signature 2040 (of permissioning entity 440) using publickey 2033 (for permissioning entity 440), and any digital signature ofcertification entity 210. This will be accomplished in operation 2538,and the data consumer has the option to perform such checks, now.

However, the data consumer may prefer to verify that the retrieveddigital content is the latest version, examine its, pedigree, andidentify whether any certifications (e.g., absence of malicious logic,fitness for a particular purpose, or other) have been issued and arevalid. Thus, operation 2522 (comprising operations 2524-2528) searchesearlier in the blockchain for records of prior versions of the digitalcontent to establish a pedigree of the digital content. Operation 2524includes identifying, within the record for the digital content areference to a first other record within a first linking field (seelinking fields portion 1560 of record 1500, specifically linking fields1561 and 1652 in FIG. 15). The first linking field indicates, by itsposition within the record for the digital content file that, when thefirst linking field references a first other record, the digital contentfile comprises a later version of a first prior-version digital contentfile, wherein the first other record comprises a record for the firstprior-version digital content file. Operation 2524 also includesretrieving, from the blockchain, the first other record.

With that other record retrieved, the search for prior linked recordsmay be repeated recursively, until the earliest record is located andretrieved. Operation 2526 includes searching, within the first otherrecord for a linking field reference to an earlier prior-version record,and iteratively searching the blockchain for prior version records toestablish a pedigree of the digital content file. Operation 2528identifies merge events, as described above. Merge events may also beidentified recursively, for example if a plurality of files were mergedin a plurality of merge events to produce the current digital content.

The blockchain may also be traversed later in time, to identifysuperseding versions, and ultimately, the latest (current) version ofthe digital content, in operation 2530. This may be accomplished forsearching, within the blockchain for any later records that have, withintheir linking field, the address of the current record. This process mayalso be performed recursively, until the latest record is identified.Operation 2530 includes operations 2532 and 2434. Operation 2532includes searching, within blocks of the blockchain that are subsequentto the closed block in which the record for the digital content fileappears, for references to the record for the digital content file. Therecords are also retrieved. Operation 2534 includes, responsive toidentifying a reference to the record for the digital content file in areferencing record, determining whether determining whether thereferencing record comprises a record for a later version of the digitalcontent file. Operation 2534 also includes, responsive to determiningthat the referencing record comprises the record for the later versionof the digital content file, iteratively searching the blockchain forfurther later versions of the digital content file.

For any later versions identified, operation 2522 may be performed toestablish the pedigree of that later version and to identify whetherthat later version is the result of a merge event. Additionally, allversions identified may also be verified for integrity and no-later-thandate-of-existence be returning to operation 2502 for the other versionslocated.

At this point, the data consumer now has some certainty that the digitalcontent is the current version (if version control was thorough), andhas established its pedigree. All of this is accomplished withoutneeding to go outside of the blockchain (blockchain 410), and worryingthat such versioning information may have been lost (if storedelsewhere). And, simultaneously, the blockchain itself has not disclosedthe actual digital content, because the date consumer could only accessthe digital content by accessing the proper storage location andpossessing the proper access privileges (see FIG. 21). And further, thepermissioning entity (permissioning entity 440) has been alerted if anyAPT (APT 2026) has been corrupting waiting records (that have not yetbeen placed into blockchain 410) or files (on storage 2038). All ofthese benefits have accrued in a blockchain architecture that is compact(i.e., no bloating with large files) and is not threatened by aconsensus community that may be hijacked by hostile, well-fundedentities.

Further benefits of this blockchain architecture are manifest infollowing operations 2536 and 2538. Operation 2536 includes identifyingcertifications and certification revocations. This permits the dataconsumer to have some degree of confidence that an expert entity hasexamined the digital content and deemed it to be unsafe, or if that hadoccurred and the digital entity then revoked the certification, the dataconsumer will be alerted. For example, operation 2536 may includeidentifying, within the record for the digital content, a reference to athird other record within a certification linking field, thecertification linking field indicating, by its position within therecord for the digital content file that, when the certification linkingfield references a third other record, the digital content filecomprises a record of a certification for the digital content file or arecord of a revocation of the certification for the digital contentfile. Alternatively, operation 2536 may include identifying, within therecord for the digital content, a digital signature of a certificationentity. Operation 2536 may also include iteratively searching theblockchain for other certifications or certification revocations.Referencing FIG. 15, certifications and revocations of certificationsmay be indicated using digital signature and time stamp fields, similarto those in data custodian fields portions 1540 and permissioning entityfields portions 1550 replacing

Operation 2538 verifies digital signatures in the record(s) located. Forexample, data consumer 109 verifies digital signature 2020 (of dataowner 111) using public key 2013 (for data owner 111), digital signature2040 (of permissioning entity 440) using public key 2033 (forpermissioning entity 440), and any digital signature of certificationentity 210. This operation enables identification of collusion attemptsof any of data owner 111, permissioning entity 440, and certificationentity 210 with attacker 120. These additional benefits furtherdistinguish the value of the architecture of blockchain 410.

Decision operation 2540 determines whether all of the factors thus farexamined point toward the digital content (digital content 114) beingsafe to use. If not, flowchart 2500 moves to operation 2512. Otherwise,the digital content is used in a product in operation 2542. For example,operation 2542 may include, responsive to a match between the generatedmessage digest for the retrieved stored digital content file and themessage digest for the digital content file within the record for thedigital content file within the closed block, inserting digital contentfrom the digital content file into a product. In some examples,inserting digital content from the digital content file into a productcomprises responsive to both a match between the generated messagedigest for the retrieved stored digital content file and the messagedigest for the digital content file within the record for the digitalcontent file within the closed block, and a match between the generatedmessage digest for the retrieved closed block and the message digest forthe closed block within the out-of-band date proof, inserting digitalcontent from the digital content file into a product.

FIG. 26 illustrates a block diagram of computing device 2600 that may beused as any component described herein that may require computational orstorage capacity. Computing device 2600 has at least a processor 2602,and a memory 2604 that holds program code 2610, data area 2620, andother logic and storage 2630. Memory 2604 is any device allowinginformation, such as computer executable instructions and/or other data,to be stored and retrieved. For example, memory 2604 may include one ormore random access memory (RAM) modules, flash memory modules, harddisks, solid-state disks, persistent memory devices, and/or opticaldisks. Program code 2610 comprises computer executable instructions andcomputer executable components including any instructions necessary toperform operations described herein. Data area 2620 holds any datanecessary to perform operations described herein. Memory 2604 alsoincludes other logic and storage 2630 that perform or facilitate otherfunctions disclosed herein or otherwise required of computing device2600. An input/output (I/O) component 2640 facilitates receiving inputfrom users and other devices and generating displays for users andoutputs for other devices. A network interface 2650 permitscommunication over a network 2660 with a remote node 2670, which mayrepresent another implementation of computing device 2600.

ADDITIONAL EXAMPLES

An example method of establishing integrity of digital contentcomprises: during a block accumulation period: receiving a plurality ofrecords in a sequence, each record of the plurality of recordsrespectively comprising a record for a digital content file andincluding a message digest for the digital content file; chaining theplurality of records using message digests, to produce a record chain,wherein chaining records comprises inserting a message digest for anearlier record into a subsequent record; and appending the plurality ofrecords into a currently open block of a blockchain; upon an end of theblock accumulation period: closing the currently open block toadditional records, rendering the currently open block into a closedblock; and opening a new current block into which a future plurality ofrecords may be appended; chaining the closed block to the blockchain,wherein chaining blocks to the blockchain comprises inserting a messagedigest for an earlier block into a subsequent block; and iterativelyopening, appending, and chaining multiple blocks across multiple blockaccumulation periods to produce the blockchain, wherein the record chainprovides a first chaining tier and chaining the multiple blocks providesa second chaining tier, and wherein the blockchain does not containcontent from the digital content file.

Another example method of establishing integrity of digital contentcomprises: during a block accumulation period: receiving a plurality ofrecords in a sequence, each record of the plurality of recordsrespectively comprising a record for a digital content file andincluding a message digest for the digital content file; and appendingthe plurality of records into a currently open block of a blockchain;upon an end of the block accumulation period: closing the currently openblock to additional records, rendering the currently open block into aclosed block; and opening a new current block into which a futureplurality of records may be appended; chaining the closed block to theblockchain, wherein chaining blocks to the blockchain comprisesinserting a message digest for an earlier block into a subsequent block;and iteratively opening, appending, and chaining multiple blocks acrossmultiple block accumulation periods to produce the blockchain, whereinthe blockchain does not contain content from the digital content file,and wherein at least one record of the plurality of records furthercomprises: a digital signature of the digital content file by a dataowner of the digital content file and a digital signature of the digitalcontent file by an entity that generates the blockchain.

Another example method of establishing integrity of digital contentcomprises: during a block accumulation period: receiving a plurality ofrecords in a sequence, each record of the plurality of recordsrespectively comprising a record for a digital content file andincluding a message digest for the digital content file; and appendingthe plurality of records into a currently open block of a blockchain;upon an end of the block accumulation period: closing the currently openblock to additional records, rendering the currently open block into aclosed block; and opening a new current block into which a futureplurality of records may be appended; chaining the closed block to theblockchain, wherein chaining blocks to the blockchain comprisesinserting a message digest for an earlier block into a subsequent block;and iteratively opening, appending, and chaining multiple blocks acrossmultiple block accumulation periods to produce the blockchain, whereinthe blockchain does not contain content from the digital content file,and wherein at least one record of the plurality of records furthercomprises: a first linking field indicating, by its position within therecord for the digital content file that, when the first linking fieldreferences a first other record, the digital content file comprises alater version of a first prior-version digital content file, wherein thefirst other record comprises a record for the first prior-versiondigital content file.

An example system for establishing integrity of digital contentcomprises: a processor; and a computer-readable medium storinginstructions that are operative upon execution by the processor to:during a block accumulation period: receive a plurality of records in asequence, each record of the plurality of records respectivelycomprising a record for a digital content file and including a messagedigest for the digital content file; chain the plurality of recordsusing message digests, to produce a record chain, wherein chainingrecords comprises inserting a message digest for an earlier record intoa subsequent record; and append the plurality of records into acurrently open block of a blockchain; and upon an end of the blockaccumulation period: close the currently open block to additionalrecords, rendering the currently open block into a closed block; andopen a new current block into which a future plurality of records may beappended; chain the closed block to the blockchain, wherein chainingblocks to the blockchain comprises inserting a message digest for anearlier block into a subsequent block; and iteratively open, append, andchain multiple blocks across multiple block accumulation periods toproduce the blockchain, wherein the record chain provides a firstchaining tier and chaining the multiple blocks provides a secondchaining tier, and wherein the blockchain does not contain content fromthe digital content file.

Another example system for establishing integrity of digital contentcomprises: a processor; and a computer-readable medium storinginstructions that are operative upon execution by the processor to:during a block accumulation period: receive a plurality of records in asequence, each record of the plurality of records respectivelycomprising a record for a digital content file and including a messagedigest for the digital content file; and append the plurality of recordsinto a currently open block of a blockchain; upon an end of the blockaccumulation period: close the currently open block to additionalrecords, rendering the currently open block into a closed block; andopen a new current block into which a future plurality of records may beappended; chain the closed block to the blockchain, wherein chainingblocks to the blockchain comprises inserting a message digest for anearlier block into a subsequent block; and iteratively open, append, andchain multiple blocks across multiple block accumulation periods toproduce the blockchain, wherein the blockchain does not contain contentfrom the digital content file, and wherein at least one record of theplurality of records further comprises: a digital signature of thedigital content file by a data owner of the digital content file and adigital signature of the digital content file by an entity thatgenerates the blockchain.

Another example system for establishing integrity of digital contentcomprises: a processor; and a computer-readable medium storinginstructions that are operative upon execution by the processor to:during a block accumulation period: receive a plurality of records in asequence, each record of the plurality of records respectivelycomprising a record for a digital content file and including a messagedigest for the digital content file; and append the plurality of recordsinto a currently open block of a blockchain; upon an end of the blockaccumulation period: close the currently open block to additionalrecords, rendering the currently open block into a closed block; andopen a new current block into which a future plurality of records may beappended; chain the closed block to the blockchain, wherein chainingblocks to the blockchain comprises inserting a message digest for anearlier block into a subsequent block; and iteratively open, append, andchain multiple blocks across multiple block accumulation periods toproduce the blockchain, wherein the blockchain does not contain contentfrom the digital content file, and wherein at least one record of theplurality of records further comprises: a first linking fieldindicating, by its position within the record for the digital contentfile that, when the first linking field references a first other record,the digital content file comprises a later version of a firstprior-version digital content file, wherein the first other recordcomprises a record for the first prior-version digital content file.

Alternatively, or in addition to the other examples described herein,examples include any combination of the following:

-   -   generating, for the closed block, an out-of-band date proof, the        out-of-band date proof comprising a message digest for the        closed block that is used for chaining a block subsequent to the        closed block to the closed block in the blockchain;    -   verifying that the record chain has not been altered by        iteratively: generating new message digests for records within        the record chain and comparing the new message digests with        message digests in subsequent records that are used for chaining        records in the record chain;    -   chaining the closed block to the blockchain comprises:        responsive to the new message digests matching the message        digests in subsequent records, chaining the closed block to the        blockchain;    -   receiving the record for the digital content file comprises:        receiving the digital content file and generating, for the        digital content file, the message digest that is included within        the record for the digital content file;    -   receiving the record for the digital content file further        comprises receiving the digital signature of the digital content        file by the data owner of the digital content file;    -   storing the digital content file as a stored digital content        file;    -   retrieving, over a network, by a data consumer, the stored        digital content file;    -   generating a message digest for the retrieved stored digital        content file;    -   retrieving, over the network, a copy of at least a portion of        the blockchain, the portion of the blockchain comprising the        closed block in which the record for the digital content file is        included;    -   comparing the generated message digest for the retrieved stored        digital content file with the message digest for the digital        content file within the record for the digital content file        within the closed block;    -   responsive to a match between the generated message digest for        the retrieved stored digital content file and the message digest        for the digital content file within the record for the digital        content file within the closed block, inserting digital content        from the digital content file into a product;    -   generating a message digest for the retrieved closed block;    -   retrieving an out-of-band date proof comprising a message digest        for the closed block;    -   comparing the generated message digest for the retrieved closed        block with the message digest from the out-of-band date proof;    -   inserting digital content from the digital content file into a        product comprises: responsive to both a match between the        generated message digest for the retrieved stored digital        content file and the message digest for the digital content file        within the record for the digital content file within the closed        block, and a match between the generated message digest for the        retrieved closed block and the message digest for the closed        block within the out-of-band date proof, inserting digital        content from the digital content file into a product;    -   at least one record of the plurality of records further        includes, in addition to the message digest for the digital        content file and the message digest for the earlier record, a        digital signature of the digital content file by a data owner of        the digital content file, a digital signature of the message        digest for the digital content file by a data owner of the        digital content file, a digital signature of the digital content        file by an entity that generates the blockchain, and/or a        digital signature of a certification entity;    -   prior to generating a digital signature of the digital content        file by an entity that generates the blockchain, verifying that        the message digest for the digital content file within the        record for the digital content file matches an        independently-generated message digest for the digital content        file;    -   prior to generating the digital signature of the digital content        file by the entity that generates the blockchain, verifying the        digital signature of the digital content file by the data owner        of the digital content file;    -   verifying, by the entity that generates the blockchain, that the        message digest for the digital content file within the record        for the digital content file matches an independently-generated        message digest for the digital content file;    -   based on at least the message digest for the digital content        file within the record for the digital content file matching the        independently-generated message digest for the digital content        file, inserting a digital signature of the digital content file        by the entity that generates the blockchain into the record for        the digital content file;    -   the digital signature of the digital content file by the        certification entity indicates that the digital content file has        been examined for trustworthiness;    -   during the block accumulation period in which the record for the        digital content file is received, transmitting, over a network,        to a data owner of the digital content file, a message digest of        the record for the digital content file that is used for        chaining a record subsequent to the record for the digital        content file to the record for the digital content file in the        record chain;    -   receiving, by the data owner of the digital content file, the        transmitted message digest;    -   retrieving, over the network, a copy of at least a portion of        the blockchain, the portion of the blockchain comprising the        closed block in which the record for the digital content file is        included;    -   comparing the transmitted message digest with the message digest        within the record for the digital content file within the closed        block that is used for chaining the record subsequent to the        record for the digital content file to the record for the        digital content file;    -   responsive to a mismatch between the transmitted message digest        with the message digest within the record for the digital        content file within the closed block that is used for chaining        the record subsequent to the record for the digital content file        to the record for the digital content file, generating an alert        for the entity that generates the blockchain and/or an entity        that generates the record chain;    -   chaining the received plurality of records comprises chaining        the received plurality of records according to the sequence of        receiving;    -   chaining records comprises inserting a message digest for an        earlier record into a subsequent record;    -   appending the plurality of records into the currently open block        comprises appending the record chain into the currently open        block;    -   the record chain provides a first chaining tier and chaining the        multiple blocks provides a second chaining tier;    -   appending the plurality of records into the currently open block        comprises appending the record chain into the currently open        block;    -   inserting the message digest for the earlier block into the        subsequent block comprises: generating a record for the earlier        block, the record for the earlier block including the message        digest for the earlier block and inserting the record for the        earlier block into the subsequent block;    -   inserting the record for the earlier block into the record        chain, so that the record for the earlier block further includes        a message digest of a final record of the record chain within        the earlier block;    -   the record for the earlier block includes a digital signature of        the earlier block by an entity that generates the blockchain;    -   at least one record of the plurality of records further        comprises a digital content timestamp indicating a time for the        digital content file;    -   at least one record of the plurality of records further        comprises a record timestamp indicating a time for the record        for the digital content file;    -   the digital content timestamp is included within a digital        signature by the data owner;    -   the record timestamp is included within a digital signature by        the data owner;    -   the record timestamp indicates a time of the receiving of the        record;    -   the reference to the first other record comprises a blockchain        address of a record for the first prior-version digital content        file;    -   the blockchain address comprises an index of the record for the        prior-version digital content file within a block in which the        record for the prior-version digital content file appears;    -   at least one record of the plurality of records further        comprises: a second linking field indicating, by its position        within the record for the digital content file that, when the        first linking field references the first other record and the        second linking field references a second other record, the        digital content file comprises a merge of the first        prior-version digital content file and a second first        prior-version digital content file, wherein the second other        record comprises a record for the second prior-version digital        content file;    -   at least one record of the plurality of records further        comprises: a certification linking field indicating, by its        position within the record for the digital content file that,        when the certification linking field references another record,        the digital content file comprises at least one file selected        from the list consisting of: a certification for another digital        content file, a revocation of certification for another digital        content file, and content for which another digital content file        provides certification, wherein the reference to the other        record comprises a blockchain address of a record for the first        prior-version digital content file;    -   searching, within blocks of the blockchain that are subsequent        to the closed block in which the record for the digital content        file appears, for references to the record for the digital        content file; responsive to identifying a reference to the        record for the digital content file in a referencing record,        determining whether determining whether the referencing record        comprises a record for a later version of the digital content        file;    -   responsive to determining that the referencing record comprises        the record for the later version of the digital content file,        iteratively searching the blockchain for further later versions        of the digital content file;    -   retrieving, over a network, by a data consumer, a copy of at        least a portion of the blockchain;    -   retrieving, from the blockchain, the first other record;    -   searching, within the first other record for a linking field        reference to an earlier prior-version record;    -   iteratively searching the blockchain for prior version records        to establish a pedigree of the digital content file;    -   the subsequent record is the immediately subsequent record;    -   the subsequent block is the immediately subsequent block;    -   the message digest comprises at least a portion of a first SHA        function message digest;    -   the message digest comprises at least a portion of a first        message digest from a first hash function and at least a portion        of a second message digest from a second hash function;    -   the message digest comprises a first message digest for a        concatenation of the digital content file with a second message        digest for the digital content; and    -   the message digest comprises a portion, less than the entirety,        of a message digest from a hash function.

Having described aspects of the disclosure in detail, it will beapparent that modifications and variations are possible withoutdeparting from the scope of aspects of the disclosure as defined in theappended claims. As various changes could be made in the aboveconstructions, products, and methods without departing from the scope ofaspects of the disclosure, it is intended that all matter contained inthe above description and shown in the accompanying drawings shall beinterpreted as illustrative and not in a limiting sense. While thedisclosure is susceptible to various modifications and alternativeconstructions, certain illustrated examples thereof are shown in thedrawings and have been described above in detail. It should beunderstood, however, that there is no intention to limit the disclosureto the specific forms disclosed, but on the contrary, the intention isto cover all modifications, alternative constructions, and equivalentsfalling within the spirit and scope of the disclosure.

1. A method of establishing integrity of digital content, the methodcomprising: during a block accumulation period: receiving a plurality ofrecords in a sequence, each record of the plurality of recordsrespectively comprising a record for a digital content file andincluding a message digest for the digital content file; chaining theplurality of records using message digests, to produce a record chain,wherein chaining records comprises inserting a message digest for anearlier record into a subsequent record; and appending the plurality ofrecords into a currently open block of a blockchain upon an end of theblock accumulation period: closing the currently open block toadditional records, rendering the currently open block into a closedblock; and opening a new current block into which a future plurality ofrecords may be appended; chaining the closed block to the blockchain,wherein chaining blocks to the blockchain comprises inserting a messagedigest for an earlier block into a subsequent block; and iterativelyopening, appending, and chaining multiple blocks across multiple blockaccumulation periods to produce the blockchain, wherein the record chainprovides a first chaining tier and chaining the multiple blocks providesa second chaining tier, and wherein the blockchain does not containcontent from the digital content file.
 2. The method of claim 1 furthercomprising: generating, for the closed block, an out-of-band date proof,the out-of-band date proof comprising a message digest for the closedblock that is used for chaining a block subsequent to the closed blockto the closed block in the blockchain.
 3. The method of claim 1 furthercomprising: verifying that the record chain has not been altered byiteratively: generating new message digests for records within therecord chain; and comparing the new message digests with message digestsin subsequent records that are used for chaining records in the recordchain; and wherein chaining the closed block to the blockchaincomprises: responsive to the new message digests matching the messagedigests in subsequent records, chaining the closed block to theblockchain.
 4. The method of claim 1 wherein receiving the record forthe digital content file comprises: receiving the digital content fileand generating, for the digital content file, the message digest that isincluded within the record for the digital content file.
 5. The methodof claim 1 further comprising: storing the digital content file as astored digital content file.
 6. The method of claim 5 furthercomprising: retrieving, over a network, by a data consumer, the storeddigital content file; generating a message digest for the retrievedstored digital content file; retrieving, over the network, a copy of atleast a portion of the blockchain, the portion of the blockchaincomprising the closed block in which the record for the digital contentfile is included; comparing the generated message digest for theretrieved stored digital content file with the message digest for thedigital content file within the record for the digital content filewithin the closed block; and responsive to a match between the generatedmessage digest for the retrieved stored digital content file and themessage digest for the digital content file within the record for thedigital content file within the closed block, inserting digital contentfrom the digital content file into a product.
 7. The method of claim 6further comprising: generating a message digest for the retrieved closedblock; retrieving an out-of-band date proof comprising a message digestfor the closed block; comparing the generated message digest for theretrieved closed block with the message digest from the out-of-band dateproof; and wherein inserting digital content from the digital contentfile into a product comprises: responsive to both a match between thegenerated message digest for the retrieved stored digital content fileand the message digest for the digital content file within the recordfor the digital content file within the closed block, and a matchbetween the generated message digest for the retrieved closed block andthe message digest for the closed block within the out-of-band dateproof, inserting digital content from the digital content file into aproduct.
 8. The method of claim 1 wherein at least one record of theplurality of records further includes, in addition to the message digestfor the digital content file and the message digest for the earlierrecord, a digital signature of the digital content file by a data ownerof the digital content file, and/or a digital signature of the digitalcontent file by an entity that generates the blockchain.
 9. The methodof claim 1 further comprising: during the block accumulation period inwhich the record for the digital content file is received, transmitting,over a network, to a data owner of the digital content file, a messagedigest of the record for the digital content file that is used forchaining a record subsequent to the record for the digital content fileto the record for the digital content file in the record chain.
 10. Themethod of claim 9 further comprising: receiving, by the data owner ofthe digital content file, the transmitted message digest; retrieving,over the network, a copy of at least a portion of the blockchain, theportion of the blockchain comprising the closed block in which therecord for the digital content file is included; comparing thetransmitted message digest with the message digest within the record forthe digital content file within the closed block that is used forchaining the record subsequent to the record for the digital contentfile to the record for the digital content file; and responsive to amismatch between the transmitted message digest with the message digestwithin the record for the digital content file within the closed blockthat is used for chaining the record subsequent to the record for thedigital content file to the record for the digital content file,generating an alert for the entity that generates the blockchain and/oran entity that generates the record chain.
 11. The method of claim 1wherein chaining the received plurality of records comprises chainingthe received plurality of records according to the sequence ofreceiving.
 12. The method of claim 1 wherein appending the plurality ofrecords into the currently open block comprises appending the recordchain into the currently open block.
 13. The method of claim 1 whereininserting the message digest for the earlier block into the subsequentblock comprises: generating a record for the earlier block, the recordfor the earlier block including the message digest for the earlierblock; and inserting the record for the earlier block into thesubsequent block.
 14. The method of claim 13 further comprising:inserting the record for the earlier block into the record chain, sothat the record for the earlier block further includes a message digestof a final record of the record chain within the earlier block.
 15. Themethod of claim 13 wherein the record for the earlier block includes adigital signature of the earlier block by an entity that generates theblockchain.
 16. The method of claim 1 wherein the message digestcomprises at least a portion of a first secure hash algorithm (SHA)function message digest.
 17. The method of claim 1 wherein the messagedigest comprises at least a portion of a first message digest from afirst hash function and at least a portion of a second message digestfrom a second hash function.
 18. The method of claim 1 wherein themessage digest comprises a first message digest for a concatenation ofthe digital content file with a second message digest for the digitalcontent.
 19. The method of claim 1 wherein: the subsequent record is theimmediately subsequent record; the subsequent block is the immediatelysubsequent block; receiving the record for the digital content filefurther comprises receiving a digital signature of the digital contentfile by a data owner of the digital content file; prior to generating adigital signature of the digital content file by an entity thatgenerates the blockchain, verifying that the message digest for thedigital content file within the record for the digital content filematches an independently-generated message digest for the digitalcontent file; prior to generating the digital signature of the digitalcontent file by the entity that generates the blockchain, verifying thedigital signature of the digital content file by the data owner of thedigital content file; and the message digest comprises a portion, lessthan the entirety, of a message digest from a hash function.
 20. Asystem for establishing integrity of digital content, the systemcomprising: a processor; and a computer-readable medium storinginstructions that are operative upon execution by the processor to:during a block accumulation period: receive a plurality of records in asequence, each record of the plurality of records respectivelycomprising a record for a digital content file and including a messagedigest for the digital content file; chain the plurality of recordsusing message digests, to produce a record chain, wherein chainingrecords comprises inserting a message digest for an earlier record intoa subsequent record; and append the plurality of records into acurrently open block of a blockchain; upon an end of the blockaccumulation period: close the currently open block to additionalrecords, rendering the currently open block into a closed block; andopen a new current block into which a future plurality of records may beappended; chain the closed block to the blockchain, wherein chainingblocks to the blockchain comprises inserting a message digest for anearlier block into a subsequent block; and iteratively open, append, andchain multiple blocks across multiple block accumulation periods toproduce the blockchain, wherein the record chain provides a firstchaining tier and chaining the multiple blocks provides a secondchaining tier, and wherein the blockchain does not contain content fromthe digital content file.